CVE-2025-68161: CWE-297 Improper Validation of Certificate with Host Mismatch in Apache Software Foundation Apache Log4j Core
The Socket Appender in Apache Log4j Core versions 2.0-beta9 through 2.25.2 does not perform TLS hostname verification of the peer certificate, even when the verifyHostName https://logging.apache.org/log4j/2.x/manual/appenders/network.html#SslConfiguration-attr-verifyHostName configuration attribute or the log4j2.sslVerifyHostName https://logging.apache.org/log4j/2.x/manual/systemproperties.html#log4j2.sslVerifyHostName system property is set to true. This issue may allow a man-in-the-middle attacker to intercept or redirect log traffic under the following conditions: * The attacker is able to intercept or redirect network traffic between the client and the log receiver. * The attacker can present a server certificate issued by a certification authority trusted by the Socket Appender’s configured trust store (or by the default Java trust store if no custom trust store is configured). Users are advised to upgrade to Apache Log4j Core version 2.25.3, which addresses this issue. As an alternative mitigation, the Socket Appender may be configured to use a private or restricted trust root to limit the set of trusted certificates.
AI Analysis
Technical Summary
The Socket Appender in Apache Log4j Core versions 2.0-beta9 through 2.25.2 does not properly validate the hostname in the TLS peer certificate, ignoring the verifyHostName configuration attribute and the log4j2.sslVerifyHostName system property. This improper validation (CWE-297) may allow attackers who can intercept or redirect network traffic and present a certificate trusted by the configured trust store to intercept or redirect log data. The vulnerability is fixed in Apache Log4j Core version 2.25.3. As an alternative mitigation, restricting the trust root to a private or limited set of certificates can reduce exposure.
Potential Impact
An attacker capable of intercepting or redirecting network traffic between the client and log receiver can exploit this vulnerability to intercept or redirect log traffic by presenting a trusted certificate with a hostname mismatch. This compromises the confidentiality and integrity of log data transmitted over TLS. The CVSS 4.0 score is 6.3 (medium severity), reflecting network attack vector, high attack complexity, and limited confidentiality impact.
Mitigation Recommendations
Upgrade Apache Log4j Core to version 2.25.3, which fixes the hostname verification issue in the Socket Appender. Alternatively, configure the Socket Appender to use a private or restricted trust root to limit trusted certificates and reduce risk. There is no indication that no action is required; therefore, applying the official fix or using the recommended configuration change is advised.
CVE-2025-68161: CWE-297 Improper Validation of Certificate with Host Mismatch in Apache Software Foundation Apache Log4j Core
Description
The Socket Appender in Apache Log4j Core versions 2.0-beta9 through 2.25.2 does not perform TLS hostname verification of the peer certificate, even when the verifyHostName https://logging.apache.org/log4j/2.x/manual/appenders/network.html#SslConfiguration-attr-verifyHostName configuration attribute or the log4j2.sslVerifyHostName https://logging.apache.org/log4j/2.x/manual/systemproperties.html#log4j2.sslVerifyHostName system property is set to true. This issue may allow a man-in-the-middle attacker to intercept or redirect log traffic under the following conditions: * The attacker is able to intercept or redirect network traffic between the client and the log receiver. * The attacker can present a server certificate issued by a certification authority trusted by the Socket Appender’s configured trust store (or by the default Java trust store if no custom trust store is configured). Users are advised to upgrade to Apache Log4j Core version 2.25.3, which addresses this issue. As an alternative mitigation, the Socket Appender may be configured to use a private or restricted trust root to limit the set of trusted certificates.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The Socket Appender in Apache Log4j Core versions 2.0-beta9 through 2.25.2 does not properly validate the hostname in the TLS peer certificate, ignoring the verifyHostName configuration attribute and the log4j2.sslVerifyHostName system property. This improper validation (CWE-297) may allow attackers who can intercept or redirect network traffic and present a certificate trusted by the configured trust store to intercept or redirect log data. The vulnerability is fixed in Apache Log4j Core version 2.25.3. As an alternative mitigation, restricting the trust root to a private or limited set of certificates can reduce exposure.
Potential Impact
An attacker capable of intercepting or redirecting network traffic between the client and log receiver can exploit this vulnerability to intercept or redirect log traffic by presenting a trusted certificate with a hostname mismatch. This compromises the confidentiality and integrity of log data transmitted over TLS. The CVSS 4.0 score is 6.3 (medium severity), reflecting network attack vector, high attack complexity, and limited confidentiality impact.
Mitigation Recommendations
Upgrade Apache Log4j Core to version 2.25.3, which fixes the hostname verification issue in the Socket Appender. Alternatively, configure the Socket Appender to use a private or restricted trust root to limit trusted certificates and reduce risk. There is no indication that no action is required; therefore, applying the official fix or using the recommended configuration change is advised.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- apache
- Date Reserved
- 2025-12-16T11:30:53.875Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 69446a7c4eb3efac36a96175
Added to database: 12/18/2025, 8:56:28 PM
Last enriched: 4/11/2026, 5:25:01 AM
Last updated: 5/10/2026, 4:00:50 AM
Views: 4312
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.