Uploaded image for project: 'Log4j 2'
  1. Log4j 2
  2. LOG4J2-2819

Add support for specifying an SSL configuration for SmtpAppender

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • 2.13.1
    • 2.13.2, 2.12.3, 2.3.2
    • Appenders
    • None

    Description

      The SmtpAppender should be able to use an SSL configuration element to specify a trust store, host name verification, and a key store, so that smtps connections can be further configured. This should re-use the same <SSL/> configuration element that's used elsewhere like HttpAppender.

      CVE-2020-9488

      The SmtpAppender did not verify the host name matched the SSL/TLS certificate of an SMTPS connection which could allow an attacker with man-in-the-middle access to intercept log messages sent through SMTPS.

      Mitigation

      Upgrade to 2.13.2 which supports this feature. Previous versions can set the system property mail.smtp.ssl.checkserveridentity to true to globally enable hostname verification for SMTPS connections.

      Details

      CWE: 297
      CVSS: 3.7 (Low) CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
      Reporter: Peter Stöckli <peter.stockli@alphabot.com>

      Attachments

        Issue Links

          links to

          Web Link GitHub Pull Request #626

          Activity

            People

              mattsicker Matt Sicker
              mattsicker Matt Sicker
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: