Apache Log4j Core Hostname Verification Bypass Vulnerability in TLS Configuration

A vulnerability exists in Apache Log4j Core in versions 2.12.0 prior to 2.25.4, and 3.0.0-alpha1 through 3.0.0-beta3. The issue arises because the 'verifyHostName' attribute in the '<Ssl>' element was ignored, leaving TLS connections susceptible to interception. This flaw can be exploited by a network-based attacker to perform a man-in-the-middle attack under specific conditions, particularly when an SMTP, Socket, or Syslog appender is used with TLS via a nested '<Ssl>' element. The vulnerability does not affect the HTTP appender, which has its own hostname verification that was not impacted by this issue.

Impact

Exploitation can lead to a man-in-the-middle attack, allowing interception of TLS connections and potential manipulation of log data.

Reproduction

To reproduce this vulnerability, use Apache Log4j Core versions 2.12.0 prior to 2.25.4, or 3.0.0-alpha1 through 3.0.0-beta3. Configure an SMTP, Socket, or Syslog appender to use TLS with a nested '<Ssl>' element, and set the 'verifyHostName' attribute to a value that would normally enforce hostname verification. An attacker must then intercept the network traffic and present a trusted certificate to exploit the vulnerability.

Remediation

Upgrade to Apache Log4j Core version 2.25.4, which restores proper hostname verification in TLS configurations. After upgrading, verify that the 'verifyHostName' attribute is correctly applied in the '<Ssl>' element.