238 matches found
Improper Validation of Certificate with Host Mismatch
Overview org.apache.logging.log4j:log4j-core is a logging library for Java. Affected versions of this package are vulnerable to Improper Validation of Certificate with Host Mismatch due to the lack of TLS hostname verification in the SocketAppender component when configured through the...
Improper Output Neutralization for Logs
Overview org.apache.logging.log4j:log4j-core is a logging library for Java. Affected versions of this package are vulnerable to Improper Output Neutralization for Logs in the Rfc5424Layout plugin due to newLineEscape and useTlsMessageFormat configuration attributes being silently renamed, leading...
CVE-2026-34477
The fix for CVE-2025-68161 https://logging.apache.org/security.htmlCVE-2025-68161 was incomplete: it addressed hostname verification only when enabled via the log4j2.sslVerifyHostName https://logging.apache.org/log4j/2.x/manual/systemproperties.htmllog4j2.sslVerifyHostName system property, but no...
UBUNTU-CVE-2026-34477
The fix for CVE-2025-68161 https://logging.apache.org/security.htmlCVE-2025-68161 was incomplete: it addressed hostname verification only when enabled via the log4j2.sslVerifyHostName https://logging.apache.org/log4j/2.x/manual/systemproperties.htmllog4j2.sslVerifyHostName system property, but no...
UBUNTU-CVE-2026-34478
Apache Log4j Core's Rfc5424Layout https://logging.apache.org/log4j/2.x/manual/layouts.htmlRFC5424Layout , in versions 2.21.0 through 2.25.3, is vulnerable to log injection via CRLF sequences due to undocumented renames of security-relevant configuration attributes. Two distinct issues affect user...
CVE-2026-34478 Apache Log4j Core: Log injection in Rfc5424Layout due to silent configuration incompatibility
Apache Log4j Core's Rfc5424Layout https://logging.apache.org/log4j/2.x/manual/layouts.htmlRFC5424Layout , in versions 2.21.0 through 2.25.3, is vulnerable to log injection via CRLF sequences due to undocumented renames of security-relevant configuration attributes. Two distinct issues affect user...
CVE-2026-34477
The fix for CVE-2025-68161 https://logging.apache.org/security.htmlCVE-2025-68161 was incomplete: it addressed hostname verification only when enabled via the log4j2.sslVerifyHostName https://logging.apache.org/log4j/2.x/manual/systemproperties.htmllog4j2.sslVerifyHostName system property, but no...
PT-2026-31939
Name of the Vulnerable Software and Affected Versions Apache Log4j Core versions 2.12.0 through 2.25.3 Description A flaw exists where hostname verification is ignored when configured through the verifyHostName attribute of the '' element. This occurs even if the attribute is explicitly set,...
Security Bulletin: There is a vulnerability in log4j-core-2.17.1.jar used by IBM Maximo Manage application in IBM Maximo Application Suite (CVE-2025-68161)
Summary There is a vulnerability in log4j-core-2.17.1.jar used by IBM Maximo Manage application in IBM Maximo Application Suite. Vulnerability Details CVEID:CVE-2025-68161 DESCRIPTION: The Socket Appender in Apache Log4j Core versions 2.0-beta9 through 2.25.2 does not perform TLS hostname...
Security Bulletin: IBM DevOps Build addresses multiple vulnerabilities.
Summary IBM DevOps Build 7.1.0.3 addresses multiple vulnerabilities. Vulnerability Details CVEID:CVE-2025-67735 DESCRIPTION: Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.129.Final and 4.2.8.Final, the io.netty.handler.codec.http.HttpRequestEncoder...
Security Bulletin: SPSS Collaboration and Deployment Services is affected by an Improper Certificate Validation vulnerability in Apache Log4j Core (CVE-2025-68161)
Summary SPSS Collaboration and Deployment Services is affected by an Improper Certificate Validation vulnerability in Apache Log4j Core CVE-2025-68161. This has been addressed in the remediation section. Vulnerability Details CVEID:CVE-2025-68161 DESCRIPTION: The Socket Appender in Apache Log4j...
K000160192: Log4j vulnerability CVE-2025-68161
Security Advisory Description The Socket Appender in Apache Log4j Core versions 2.0-beta9 through 2.25.2 does not perform TLS hostname verification of the peer certificate, even when the verifyHostName https: //logging. apache. org/log4j/2.x/manual/appenders/network...
Security Bulletin: IBM Maximo Application Suite - Monitor Component uses log4j-core-2.25.1.jar which is vulnerable to CVE-2025-68161.
Summary IBM Maximo Application Suite - Monitor Component uses log4j-core-2.25.1.jar which is vulnerable to CVE-2025-68161. This bulletin contains information addressing the vulnerability. Vulnerability Details CVEID:CVE-2025-68161 DESCRIPTION: The Socket Appender in Apache Log4j Core versions...
ROS-20260224-73-0013
A vulnerability in the Socket Appender component of the Apache Log4j Core logging library API implementation is related to incorrect certificate authentication. Exploitation of the vulnerability could allow a remote attacker to intercept log traffic...
Amazon Linux 2023 : log4j, log4j-jcl, log4j-slf4j (ALAS2023-2026-1398)
It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2026-1398 advisory. The Socket Appender in Apache Log4j Core versions 2.0-beta9 through 2.25.2 does not perform TLS hostname verification of the peer certificate, even when the verifyHostName...
Medium: log4j
Issue Overview: The Socket Appender in Apache Log4j Core versions 2.0-beta9 through 2.25.2 does not perform TLS hostname verification of the peer certificate, even when the verifyHostName https://logging.apache.org/log4j/2.x/manual/appenders/network.htmlSslConfiguration-attr-verifyHostName...
MiracleLinux 8 : parfait:0.5 (AXSA:2022-3020:01)
The remote MiracleLinux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2022-3020:01 advisory. log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender CVE-2022-23305 log4j: Unsafe deserialization flaw in Chainsaw l...
[SECURITY] [DLA 4444-1] apache-log4j2 security update
Debian LTS Advisory DLA-4444-1 [email protected] https://www.debian.org/lts/security/ Markus Koschany January 19, 2026 https://wiki.debian.org/LTS Package : apache-log4j2 Version : 2.17.1-1deb11u2 CVE ID : CVE-2025-68161 Debian Bug : 1123744 In Apache Log4j2, a Java Logging Framework, t...
Apache Log4j 2.0-beta9 < 2.25.3 MitM
The version of Apache Log4j on the remote host is 2.0-beta9 through 2.25.2. The Socket Appender in Apache Log4j Core versions 2.0-beta9 through 2.25.2 does not perform TLS hostname verification of the peer certificate, even when the verifyHostName...
Improper TLS Hostname Verification
org.apache.logging.log4j, log4j-core is vulnerable to improper TLS hostname verification. The vulnerability is due to the Socket Appender not enforcing TLS hostname verification even when explicitly enabled, which allows a man-in-the-middle attacker to intercept or redirect log traffic by...