Bug#1123744: apache-log4j2: CVE-2025-68161

Salvatore Bonaccorso carnil at debian.org
Sat Dec 20 20:14:12 GMT 2025 

Source: apache-log4j2
Version: 2.19.0-2
Severity: important
Tags: security upstream
Forwarded: https://github.com/apache/logging-log4j2/pull/4002
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>

Hi,

The following vulnerability was published for apache-log4j2.

CVE-2025-68161[0]:
| The Socket Appender in Apache Log4j Core versions 2.0-beta9 through
| 2.25.2 does not perform TLS hostname verification of the peer
| certificate, even when the  verifyHostName https://logging.apache.or
| g/log4j/2.x/manual/appenders/network.html#SslConfiguration-attr-
| verifyHostName  configuration attribute or the
| log4j2.sslVerifyHostName https://logging.apache.org/log4j/2.x/manual
| /systemproperties.html#log4j2.sslVerifyHostName  system property is
| set to true.  This issue may allow a man-in-the-middle attacker to
| intercept or redirect log traffic under the following conditions:
| *  The attacker is able to intercept or redirect network traffic
| between the client and the log receiver.   *  The attacker can
| present a server certificate issued by a certification authority
| trusted by the Socket Appender’s configured trust store (or by the
| default Java trust store if no custom trust store is configured).
| Users are advised to upgrade to Apache Log4j Core version 2.25.3,
| which addresses this issue.  As an alternative mitigation, the
| Socket Appender may be configured to use a private or restricted
| trust root to limit the set of trusted certificates.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2025-68161
    https://www.cve.org/CVERecord?id=CVE-2025-68161
[1] https://github.com/apache/logging-log4j2/pull/4002
[2] https://lists.apache.org/thread/xr33kyxq3sl67lwb61ggvm1fzc8k7dvx

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

More information about the pkg-java-maintainers mailing list