Vulnerability lake

To find CVE, enter it here
Search
You may use syntax like CVE-2021-25322

CVE-2020-9488

Description

Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender. Fixed in Apache Log4j 2.12.3 and 2.13.1

Severity

CVSS Version 3.x

Base score: 3.7 Exploit score: 2.2 Impact score: 1.4

Base Score (vectoral): CVSS:3.1 - AV:N - AC:H - PR:N - UI:N - S:U - C:L - I:N - A:N

CVSS Version 2.0

Base score: 4.3 Exploit score: 8.6 Impact score: 2.9

Base Score (vectoral): CVSS:2.0 - AV:N - AC:M - Au:N - C:P - I:N - A:N

Weakness Enumeration

CWE-295

Change History

Last Modified: May 12, 2022

Known Affected Software Configurations

cpe:2.3:a:apache:log4j:*:*:*:*:*:*:*:*

cpe:2.3:a:oracle:communications_application_session_controller:3.9m0p1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:communications_billing_and_revenue_management:12.0.0.3.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:communications_billing_and_revenue_management:7.5.0.23.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:communications_eagle_ftp_table_base_retrieval:4.5:*:*:*:*:*:*:*

cpe:2.3:a:oracle:communications_offline_mediation_controller:12.0.0.3.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:communications_services_gatekeeper:7.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:data_integrator:12.2.1.3.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:data_integrator:12.2.1.4.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:enterprise_manager_for_peoplesoft:13.4.1.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:*

cpe:2.3:a:oracle:financial_services_institutional_performance_analytics:8.0.6:*:*:*:*:*:*:*

cpe:2.3:a:oracle:financial_services_institutional_performance_analytics:8.1.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:financial_services_institutional_performance_analytics:8.7.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.6:*:*:*:*:*:*:*

cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.8:*:*:*:*:*:*:*

cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.1.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:financial_services_price_creation_and_discovery:8.0.6:*:*:*:*:*:*:*

cpe:2.3:a:oracle:financial_services_price_creation_and_discovery:8.0.7:*:*:*:*:*:*:*

cpe:2.3:a:oracle:financial_services_retail_customer_analytics:8.0.6:*:*:*:*:*:*:*

cpe:2.3:a:oracle:flexcube_core_banking:*:*:*:*:*:*:*:*

cpe:2.3:a:oracle:flexcube_core_banking:5.2.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:flexcube_private_banking:12.0.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:flexcube_private_banking:12.1.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:health_sciences_information_manager:3.0.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:*:*:*:*:*:*:*:*

cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:5.6.1.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:insurance_policy_administration_j2ee:10.2.0.37:*:*:*:*:*:*:*

cpe:2.3:a:oracle:insurance_policy_administration_j2ee:10.2.4.12:*:*:*:*:*:*:*

cpe:2.3:a:oracle:insurance_policy_administration_j2ee:11.0.2.25:*:*:*:*:*:*:*

cpe:2.3:a:oracle:insurance_policy_administration_j2ee:11.1.0.15:*:*:*:*:*:*:*

cpe:2.3:a:oracle:insurance_policy_administration_j2ee:11.2.0.26:*:*:*:*:*:*:*

cpe:2.3:a:oracle:insurance_rules_palette:10.2.0.37:*:*:*:*:*:*:*

cpe:2.3:a:oracle:insurance_rules_palette:10.2.4.12:*:*:*:*:*:*:*

cpe:2.3:a:oracle:insurance_rules_palette:11.0.2.25:*:*:*:*:*:*:*

cpe:2.3:a:oracle:insurance_rules_palette:11.1.0.15:*:*:*:*:*:*:*

cpe:2.3:a:oracle:insurance_rules_palette:11.2.0.26:*:*:*:*:*:*:*

cpe:2.3:a:oracle:jd_edwards_world_security:a9.4:*:*:*:*:*:*:*

cpe:2.3:a:oracle:oracle_goldengate_application_adapters:19.1.0.0.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.56:*:*:*:*:*:*:*

cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.57:*:*:*:*:*:*:*

cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*

cpe:2.3:a:oracle:policy_automation:*:*:*:*:*:*:*:*

cpe:2.3:a:oracle:policy_automation_connector_for_siebel:10.4.6:*:*:*:*:*:*:*

cpe:2.3:a:oracle:policy_automation_for_mobile_devices:*:*:*:*:*:*:*:*

cpe:2.3:a:oracle:primavera_unifier:18.8:*:*:*:*:*:*:*

cpe:2.3:a:oracle:primavera_unifier:19.12:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_advanced_inventory_planning:14.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_assortment_planning:15.0.3.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_assortment_planning:16.0.3.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_bulk_data_integration:15.0.3.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_bulk_data_integration:16.0.3.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:16.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:17.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:18.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:19.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_eftlink:15.0.2:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_eftlink:16.0.3:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_eftlink:17.0.2:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_eftlink:18.0.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_eftlink:19.0.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_insights_cloud_service_suite:19.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_integration_bus:14.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_integration_bus:15.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_integration_bus:16.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_order_broker_cloud_service:16.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_order_broker_cloud_service:18.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_order_broker_cloud_service:19.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_order_broker_cloud_service:19.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_order_broker_cloud_service:19.2:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_order_broker_cloud_service:19.3:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_predictive_application_server:14.1.3.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_predictive_application_server:15.0.3.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_predictive_application_server:16.0.3.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_xstore_point_of_service:15.0.4:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_xstore_point_of_service:16.0.6:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_xstore_point_of_service:17.0.4:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_xstore_point_of_service:18.0.3:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_xstore_point_of_service:19.0.2:*:*:*:*:*:*:*

cpe:2.3:a:oracle:siebel_apps_-_marketing:*:*:*:*:*:*:*:*

cpe:2.3:a:oracle:siebel_ui_framework:*:*:*:*:*:*:*:*

cpe:2.3:a:oracle:spatial_and_graph:12.2.0.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:spatial_and_graph:18c:*:*:*:*:*:*:*

cpe:2.3:a:oracle:spatial_and_graph:19c:*:*:*:*:*:*:*

cpe:2.3:a:oracle:storagetek_acsls:8.5.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:storagetek_tape_analytics_sw_tool:2.3.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:utilities_framework:*:*:*:*:*:*:*:*

cpe:2.3:a:oracle:utilities_framework:2.2.0.0.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:utilities_framework:4.2.0.2.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:utilities_framework:4.2.0.3.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:utilities_framework:4.4.0.0.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:utilities_framework:4.4.0.2.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:weblogic_server:10.3.6.0.0:*:*:*:*:*:*:*

cpe:2.3:a:qos:reload4j:*:*:*:*:*:*:*:*

cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*

cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*

cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*

References to Advisories, Solutions, and Tools

[CONFIRM] https://issues.apache.org/jira/browse/LOG4J2-2819

[MLIST] [zookeeper-issues] 20200504 [jira] [Created] (ZOOKEEPER-3817) owasp failing due to CVE-2020-9488

[MLIST] [zookeeper-dev] 20200504 [jira] [Created] (ZOOKEEPER-3817) owasp failing due to CVE-2020-9488

[CONFIRM] https://security.netapp.com/advisory/ntap-20200504-0003/

[MLIST] [zookeeper-notifications] 20200504 Build failed in Jenkins: zookeeper-master-maven-owasp #489

[MLIST] [zookeeper-issues] 20200504 [jira] [Commented] (ZOOKEEPER-3817) owasp failing due to CVE-2020-9488

[MLIST] [zookeeper-dev] 20200504 log4j SmtpAppender related CVE

[MLIST] [zookeeper-issues] 20200504 [jira] [Assigned] (ZOOKEEPER-3817) owasp failing due to CVE-2020-9488

[MLIST] [zookeeper-notifications] 20200504 [GitHub] [zookeeper] symat opened a new pull request #1346: ZOOKEEPER-3817: suppress log4j SmtpAppender related CVE-2020-9488

[MLIST] [zookeeper-issues] 20200504 [jira] [Updated] (ZOOKEEPER-3817) owasp failing due to CVE-2020-9488

[MLIST] [zookeeper-commits] 20200504 [zookeeper] branch branch-3.6 updated: ZOOKEEPER-3817: suppress log4j SmtpAppender related CVE-2020-9488

[MLIST] [zookeeper-notifications] 20200504 [GitHub] [zookeeper] symat commented on pull request #1346: ZOOKEEPER-3817: suppress log4j SmtpAppender related CVE-2020-9488

[MLIST] [zookeeper-commits] 20200504 [zookeeper] branch master updated: ZOOKEEPER-3817: suppress log4j SmtpAppender related CVE-2020-9488

[MLIST] [zookeeper-commits] 20200504 [zookeeper] branch branch-3.5 updated: ZOOKEEPER-3817: suppress log4j SmtpAppender related CVE-2020-9488

[MLIST] [zookeeper-issues] 20200504 [jira] [Resolved] (ZOOKEEPER-3817) owasp failing due to CVE-2020-9488

[MLIST] [kafka-dev] 20200514 [jira] [Created] (KAFKA-9996) upgrade zookeeper to 3.5.8 to address security vulnerabilities

[MLIST] [kafka-jira] 20200514 [jira] [Created] (KAFKA-9996) upgrade zookeeper to 3.5.8 to address security vulnerabilities

[MLIST] [kafka-dev] 20200514 [jira] [Created] (KAFKA-9997) upgrade log4j lib to address CVE-2020-9488

[MLIST] [kafka-jira] 20200514 [jira] [Created] (KAFKA-9997) upgrade log4j lib to address CVE-2020-9488

[MLIST] [kafka-jira] 20200515 [jira] [Commented] (KAFKA-9997) upgrade log4j lib to address CVE-2020-9488

[MISC] https://www.oracle.com/security-alerts/cpujul2020.html

[MLIST] [db-torque-dev] 20200715 Build failed in Jenkins: Torque4-trunk #685

[MISC] https://www.oracle.com/security-alerts/cpuoct2020.html

[MLIST] [hive-issues] 20201207 [jira] [Updated] (HIVE-24500) Hive - upgrade log4j 2.12.1 to 2.13.2+ due to CVE-2020-9488

[MLIST] [hive-dev] 20201207 [jira] [Created] (HIVE-24500) Hive - upgrade log4j 2.12.1 to 2.13.2+ due to CVE-2020-9488

[MLIST] [hive-issues] 20201207 [jira] [Assigned] (HIVE-24500) Hive - upgrade log4j 2.12.1 to 2.13.2+ due to CVE-2020-9488

[MLIST] [hive-issues] 20201207 [jira] [Work started] (HIVE-24500) Hive - upgrade log4j 2.12.1 to 2.13.2+ due to CVE-2020-9488

[MLIST] [hive-issues] 20201208 [jira] [Work logged] (HIVE-24500) Hive - upgrade log4j 2.12.1 to 2.13.2+ due to CVE-2020-9488

[MLIST] [hive-issues] 20201208 [jira] [Updated] (HIVE-24500) Hive - upgrade log4j 2.12.1 to 2.13.2+ due to CVE-2020-9488

[MISC] https://lists.apache.org/thread.html/re024d86dffa72ad800f2848d0c77ed93f0b78ee808350b477a6ed987@%3Cgitbox.hive.apache.org%3E

[MLIST] [pulsar-commits] 20201215 [GitHub] [pulsar] yanshuchong opened a new issue #8967: CVSS issue list

[MISC] https://lists.apache.org/thread.html/rbc7642b9800249553f13457e46b813bea1aec99d2bc9106510e00ff3@%3Ctorque-dev.db.apache.org%3E

[MISC] https://www.oracle.com/security-alerts/cpujan2021.html

[MLIST] [hive-issues] 20210125 [jira] [Work logged] (HIVE-24500) Hive - upgrade log4j 2.12.1 to 2.13.2+ due to CVE-2020-9488

[MLIST] [db-torque-dev] 20210127 Re: Items for our (delayed) quarterly report to the board?

[MLIST] [db-torque-dev] 20210128 Antwort: Re: Items for our (delayed) quarterly report to the board?

[MLIST] [hive-issues] 20210209 [jira] [Resolved] (HIVE-24500) Hive - upgrade log4j 2.12.1 to 2.13.2+ due to CVE-2020-9488

[MLIST] [hive-issues] 20210216 [jira] [Resolved] (HIVE-24787) Hive - upgrade log4j 2.12.1 to 2.13.2+ due to CVE-2020-9488

[MLIST] [hive-dev] 20210216 [jira] [Created] (HIVE-24787) Hive - upgrade log4j 2.12.1 to 2.13.2+ due to CVE-2020-9488

[MLIST] [hive-issues] 20210216 [jira] [Assigned] (HIVE-24787) Hive - upgrade log4j 2.12.1 to 2.13.2+ due to CVE-2020-9488

[MLIST] [hive-issues] 20210218 [jira] [Updated] (HIVE-24787) Hive - upgrade log4j 2.12.1 to 2.13.2+ due to CVE-2020-9488

[MLIST] [mina-dev] 20210225 [jira] [Created] (FTPSERVER-500) Security vulnerability in common/lib/log4j-1.2.17.jar

[MLIST] [flink-issues] 20210510 [GitHub] [flink] zentol opened a new pull request #15879: [FLINK-22407][build] Bump log4j to 2.24.1

[MISC] https://www.oracle.com/security-alerts/cpuApr2021.html

[MLIST] [kafka-users] 20210617 vulnerabilities

[MISC] https://www.oracle.com/security-alerts/cpuoct2021.html

[DEBIAN] DSA-5020

[MLIST] [debian-lts-announce] 20211226 [SECURITY] [DLA 2852-1] apache-log4j2 security update

[MISC] https://www.oracle.com/security-alerts/cpuapr2022.html

Related articles

What is the 'Base Score'?
What is the 'Exploit Score'?
What is the 'Impact Score'?