{ "threat_severity" : "Low", "public_date" : "2020-04-25T00:00:00Z", "bugzilla" : { "description" : "log4j: improper validation of certificate with host mismatch in SMTP appender", "id" : "1831139", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1831139" }, "cvss3" : { "cvss3_base_score" : "3.7", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "status" : "verified" }, "cwe" : "CWE-295", "details" : [ "Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender. Fixed in Apache Log4j 2.12.3 and 2.13.1" ], "affected_release" : [ { "product_name" : "AMQ Clients 2.y for RHEL 6", "release_date" : "2020-09-23T00:00:00Z", "advisory" : "RHSA-2020:3817", "cpe" : "cpe:/a:redhat:a_mq_clients:2::el6", "package" : "qpid-cpp-0:1.36.0-31.el6_10amq" }, { "product_name" : "AMQ Clients 2.y for RHEL 6", "release_date" : "2020-09-23T00:00:00Z", "advisory" : "RHSA-2020:3817", "cpe" : "cpe:/a:redhat:a_mq_clients:2::el6", "package" : "qpid-proton-0:0.32.0-1.el6_10" }, { "product_name" : "AMQ Clients 2.y for RHEL 7", "release_date" : "2020-09-23T00:00:00Z", "advisory" : "RHSA-2020:3817", "cpe" : "cpe:/a:redhat:a_mq_clients:2::el7", "package" : "qpid-cpp-0:1.36.0-31.el7amq" }, { "product_name" : "AMQ Clients 2.y for RHEL 7", "release_date" : "2020-09-23T00:00:00Z", "advisory" : "RHSA-2020:3817", "cpe" : "cpe:/a:redhat:a_mq_clients:2::el7", "package" : "qpid-proton-0:0.32.0-2.el7" }, { "product_name" : "AMQ Clients 2.y for RHEL 8", "release_date" : "2020-09-23T00:00:00Z", "advisory" : "RHSA-2020:3817", "cpe" : "cpe:/a:redhat:a_mq_clients:2::el8", "package" : "nodejs-rhea-0:1.0.24-1.el8" }, { "product_name" : "AMQ Clients 2.y for RHEL 8", "release_date" : "2020-09-23T00:00:00Z", "advisory" : "RHSA-2020:3817", "cpe" : "cpe:/a:redhat:a_mq_clients:2::el8", "package" : "qpid-proton-0:0.32.0-2.el8" }, { "product_name" : "Red Hat Data Grid", "release_date" : "2020-09-03T00:00:00Z", "advisory" : "RHSA-2020:3626", "cpe" : "cpe:/a:redhat:jboss_data_grid:8", "package" : "log4j-core" }, { "product_name" : "Red Hat Data Grid 7.3.7", "release_date" : "2020-09-17T00:00:00Z", "advisory" : "RHSA-2020:3779", "cpe" : "cpe:/a:redhat:jboss_data_grid:7.3", "package" : "log4j" }, { "product_name" : "Red Hat Fuse 7.10", "release_date" : "2021-12-14T00:00:00Z", "advisory" : "RHSA-2021:5134", "cpe" : "cpe:/a:redhat:jboss_fuse:7", "package" : "log4j-core" }, { "product_name" : "Red Hat Fuse 7.8.0", "release_date" : "2020-12-16T00:00:00Z", "advisory" : "RHSA-2020:5568", "cpe" : "cpe:/a:redhat:jboss_fuse:7", "package" : "log4j" }, { "product_name" : "Red Hat JBoss Data Virtualization 6.4.8.SP1", "release_date" : "2022-02-09T00:00:00Z", "advisory" : "RHSA-2022:0497", "cpe" : "cpe:/a:redhat:jboss_data_virtualization:6.4" }, { "product_name" : "Red Hat JBoss Data Virtualization 6.4.8.SP2", "release_date" : "2022-02-10T00:00:00Z", "advisory" : "RHSA-2022:0507", "cpe" : "cpe:/a:redhat:jboss_data_virtualization:6.4" }, { "product_name" : "RHDM 7.10.0", "release_date" : "2021-02-17T00:00:00Z", "advisory" : "RHSA-2021:0603", "cpe" : "cpe:/a:redhat:jboss_enterprise_brms_platform:7.10", "package" : "log4j-core" }, { "product_name" : "RHPAM 7.10.1", "release_date" : "2021-03-30T00:00:00Z", "advisory" : "RHSA-2021:1044", "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform:7.10", "package" : "log4j-core" }, { "product_name" : "Text-Only RHOAR", "release_date" : "2020-06-17T00:00:00Z", "advisory" : "RHSA-2020:2391", "cpe" : "cpe:/a:redhat:openshift_application_runtimes:1.0", "package" : "log4j" }, { "product_name" : "Text-Only RHOAR", "release_date" : "2020-06-17T00:00:00Z", "advisory" : "RHSA-2020:2391", "cpe" : "cpe:/a:redhat:openshift_application_runtimes:1.0", "package" : "log4j-core" } ], "package_state" : [ { "product_name" : "Red Hat AMQ Broker 7", "fix_state" : "Fix deferred", "package_name" : "log4j", "cpe" : "cpe:/a:redhat:amq_broker:7" }, { "product_name" : "Red Hat BPM Suite 6", "fix_state" : "Out of support scope", "package_name" : "log4j", "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform" }, { "product_name" : "Red Hat Enterprise Linux 5", "fix_state" : "Out of support scope", "package_name" : "log4j", "cpe" : "cpe:/o:redhat:enterprise_linux:5" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Out of support scope", "package_name" : "log4j", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Fix deferred", "package_name" : "log4j", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Fix deferred", "package_name" : "parfait:0.5/log4j12", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat JBoss A-MQ 6", "fix_state" : "Out of support scope", "package_name" : "log4j", "cpe" : "cpe:/a:redhat:jboss_amq:6" }, { "product_name" : "Red Hat JBoss BRMS 5", "fix_state" : "Out of support scope", "package_name" : "log4j", "cpe" : "cpe:/a:redhat:jboss_enterprise_brms_platform:5" }, { "product_name" : "Red Hat JBoss BRMS 6", "fix_state" : "Out of support scope", "package_name" : "log4j", "cpe" : "cpe:/a:redhat:jboss_enterprise_brms_platform:6" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 5", "fix_state" : "Out of support scope", "package_name" : "log4j-core", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:5" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 6", "fix_state" : "Out of support scope", "package_name" : "log4j", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:6" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7", "fix_state" : "Not affected", "package_name" : "log4j", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform Continuous Delivery", "fix_state" : "Not affected", "package_name" : "log4j", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_cd" }, { "product_name" : "Red Hat JBoss Fuse 6", "fix_state" : "Out of support scope", "package_name" : "log4j", "cpe" : "cpe:/a:redhat:jboss_fuse:6" }, { "product_name" : "Red Hat JBoss Fuse Service Works 6", "fix_state" : "Out of support scope", "package_name" : "log4j", "cpe" : "cpe:/a:redhat:jboss_fuse_service_works:6" }, { "product_name" : "Red Hat JBoss Operations Network 3", "fix_state" : "Out of support scope", "package_name" : "log4j", "cpe" : "cpe:/a:redhat:jboss_operations_network:3" }, { "product_name" : "Red Hat JBoss SOA Platform 5", "fix_state" : "Out of support scope", "package_name" : "log4j", "cpe" : "cpe:/a:redhat:jboss_enterprise_soa_platform:5" }, { "product_name" : "Red Hat JBoss Web Server 3", "fix_state" : "Will not fix", "package_name" : "log4j-eap6", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3" }, { "product_name" : "Red Hat OpenShift Container Platform 3.11", "fix_state" : "Fix deferred", "package_name" : "openshift3/ose-logging-elasticsearch5", "cpe" : "cpe:/a:redhat:openshift:3.11" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Fix deferred", "package_name" : "openshift4/ose-logging-elasticsearch5", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Fix deferred", "package_name" : "openshift4/ose-metering-hive", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat Satellite 5", "fix_state" : "Out of support scope", "package_name" : "nutch", "cpe" : "cpe:/a:redhat:network_satellite:5" }, { "product_name" : "Red Hat Satellite 6", "fix_state" : "Not affected", "package_name" : "log4j-over-slf4j", "cpe" : "cpe:/a:redhat:satellite:6" }, { "product_name" : "Red Hat Single Sign-On 7", "fix_state" : "Not affected", "package_name" : "log4j", "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7" }, { "product_name" : "Red Hat Software Collections", "fix_state" : "Out of support scope", "package_name" : "rh-java-common-log4j", "cpe" : "cpe:/a:redhat:rhel_software_collections:3" }, { "product_name" : "Red Hat Software Collections", "fix_state" : "Fix deferred", "package_name" : "rh-maven35-log4j12", "cpe" : "cpe:/a:redhat:rhel_software_collections:3" }, { "product_name" : "Red Hat Software Collections", "fix_state" : "Fix deferred", "package_name" : "rh-maven36-log4j12", "cpe" : "cpe:/a:redhat:rhel_software_collections:3" }, { "product_name" : "streams for Apache Kafka", "fix_state" : "Fix deferred", "package_name" : "log4j", "cpe" : "cpe:/a:redhat:amq_streams:1" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2020-9488\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-9488" ], "name" : "CVE-2020-9488", "mitigation" : { "value" : "Previous versions can set the system property mail.smtp.ssl.checkserveridentity to true to globally enable hostname verification for SMTPS connections.", "lang" : "en:us" }, "csaw" : false }