Primary

Context

Apache Log4j Core Missing TLS Hostname Verification in Socket Appender Vulnerability

Vulnerability

Patched

A vulnerability exists in the Socket Appender of Apache Log4j Core versions 2.0-beta9 prior to 2.25.3, where TLS hostname verification of the peer certificate is not performed. This issue persists even when the verifyHostName configuration attribute or the log4j2.sslVerifyHostName system property is set to true. As a result, a man-in-the-middle attacker could intercept or redirect log traffic if they can intercept the network traffic and present a trusted server certificate.

Impact

Exploitation of this vulnerability could lead to man-in-the-middle attacks, allowing interception or redirection of log traffic.

Remediation

Users are advised to upgrade to Apache Log4j Core version 2.25.3. For earlier versions, the risk can be reduced by carefully restricting the trust store used by the Socket Appender.

Added: Dec 18, 2025, 9:18 PM

Updated: Dec 18, 2025, 10:32 PM

Vulnerability Rating

Custom Algorithm

spread

7.8

impact

0.6

exploitability

5.0

remediation

7.9

relevance

1.6

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

7.8

impact

0.6

exploitability

5.0

remediation

7.9

relevance

1.6

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Apache Log4j Core Missing TLS Hostname Verification in Socket Appender Vulnerability

Vulnerability

Impact

Remediation

Affected Products

Apache Log4j Core

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating