CVE-2020-9488

moderate-risk

Published 2020-04-27

Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender. Fixed in Apache Log4j 2.12.3 and 2.13.1

Do I need to act?

0.03% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 3.7/10 Low

NETWORK / HIGH complexity

Affected Products (20)

Log4J

Communications Application Session Controller

Communications Billing And Revenue Management

Communications Eagle Ftp Table Base Retrieval

Communications Offline Mediation Controller

Communications Services Gatekeeper

Communications Unified Inventory Management

Data Integrator

Enterprise Manager For Peoplesoft

Financial Services Analytical Applications Infrastructure

Financial Services Institutional Performance Analytics

Financial Services Market Risk Measurement And Management

Financial Services Price Creation And Discovery

Affected Vendors

Debian Apache Oracle Qos

References (98)

Issue Tracking https://issues.apache.org/jira/browse/LOG4J2-2819

https://lists.apache.org/thread.html/r0a2699f724156a558afd1abb6c044fb9132caa66dc...

https://lists.apache.org/thread.html/r0df3d7a5acb98c57e64ab9266aa21eeee1d9b399ad...

https://lists.apache.org/thread.html/r1fc73f0e16ec2fa249d3ad39a5194afb9cc5afb4c0...

https://lists.apache.org/thread.html/r22a56beb76dd8cf18e24fda9072f1e05990f49d643...

https://lists.apache.org/thread.html/r2721aba31a8562639c4b937150897e24f78f747cdb...

https://lists.apache.org/thread.html/r2f209d271349bafd91537a558a279c08ebcff8fa3e...

https://lists.apache.org/thread.html/r33864a0fc171c1c4bf680645ebb6d4f8057899ab29...

https://lists.apache.org/thread.html/r393943de452406f0f6f4b3def9f8d3c071f96323c1...

https://lists.apache.org/thread.html/r3d1d00441c55144a4013adda74b051ae7864128ebc...

https://lists.apache.org/thread.html/r4285398e5585a0456d3d9db021a4fce6e6fcf3ec02...

https://lists.apache.org/thread.html/r45916179811a32cbaa500f972de9098e6ee80ee81c...

https://lists.apache.org/thread.html/r48bcd06049c1779ef709564544c3d8a32ae6ee5c3b...

https://lists.apache.org/thread.html/r48efc7cb5aeb4e1f67aaa06fb4b5479a5635d12f07...

https://lists.apache.org/thread.html/r4d5dc9f3520071338d9ebc26f9f158a43ae28a9192...

https://lists.apache.org/thread.html/r4db540cafc5d7232c62e076051ef661d37d345015b...

https://lists.apache.org/thread.html/r4ed1f49616a8603832d378cb9d13e7a8b9b27972bb...

https://lists.apache.org/thread.html/r5a68258e5ab12532dc179edae3d6e87037fa3b50ab...

https://lists.apache.org/thread.html/r65578f3761a89bc164e8964acd5d913b9f8fd99796...

https://lists.apache.org/thread.html/r7641ee788e1eb1be4bb206a7d15f8a64ec6ef23e5e...

and 78 more references

/ 100

moderate-risk

Severity 13/34 · Low

Exploitability 0/34 · Minimal

Exposure 30/34 · Critical