apache log4j CVE-2020-9488 vulnerability in Apache and Other Products
Published on April 27, 2020

product logo product logo product logo product logo
Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender. Fixed in Apache Log4j 2.12.3 and 2.13.1

Vendor Advisory NVD

Vulnerability Analysis

CVE-2020-9488 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality, a small impact on integrity and availability.

Attack Vector:
NETWORK
Attack Complexity:
HIGH
Privileges Required:
NONE
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
LOW
Integrity Impact:
NONE
Availability Impact:
NONE

Weakness Type

Improper Certificate Validation

The software does not validate, or incorrectly validates, a certificate. When a certificate is invalid or malicious, it might allow an attacker to spoof a trusted entity by interfering in the communication path between the host and client. The software might connect to a malicious host while believing it is a trusted host, or the software might be deceived into accepting spoofed data that appears to originate from a trusted host.


Products Associated with CVE-2020-9488

You can be notified by email with stack.watch whenever vulnerabilities like CVE-2020-9488 are published in these products:

Apache Log4j
 
Oracle Communications Unified Inventory Management
 
Oracle Data Integrator
 
Oracle Financial Services Analytical Applications Infrastructure
 
Oracle Financial Services Market Risk Measurement Management
 
Oracle Financial Services Price Creation Discovery
 
Oracle Peoplesoft Enterprise Peopletools
 
Oracle Policy Automation Connector Siebel
 
Oracle Primavera Unifier
 
Oracle Retail Customer Management Segmentation Foundation
 
Oracle Retail Integration Bus
 
Oracle Utilities Framework
 
Oracle Weblogic Server
 
Oracle Communications Application Session Controller
 
Oracle Communications Billing Revenue Management
 
Oracle Communications Offline Mediation Controller
 
Oracle Communications Services Gatekeeper
 
Oracle Enterprise Manager Peoplesoft
 
Oracle Financial Services Institutional Performance Analytics
 
Oracle Financial Services Retail Customer Analytics
 
Oracle Flexcube Core Banking
 
Oracle Flexcube Private Banking
 
Oracle Health Sciences Information Manager
 
Oracle Insurance Insbridge Rating Underwriting
 
Oracle Insurance Policy Administration J2ee
 
Oracle Insurance Rules Palette
 
Oracle Goldengate Application Adapters
 
Oracle Policy Automation
 
Oracle Policy Automation Mobile Devices
 
Oracle Retail Advanced Inventory Planning
 
Oracle Retail Assortment Planning
 
Oracle Retail Bulk Data Integration
 
Oracle Retail Order Broker Cloud Service
 
Oracle Retail Predictive Application Server
 
Oracle Spatial And Graph
 
Oracle Storagetek Tape Analytics Sw Tool
 
Oracle Communications Eagle Ftp Table Base Retrieval
 
Oracle Jd Edwards World Security
 
Oracle Retail Eftlink
 
Oracle Retail Insights Cloud Service Suite
 
Oracle Retail Xstore Point Of Service
 
Oracle Siebel Apps Marketing
 
Oracle Siebel Ui Framework
 
Debian Linux
 
Qos Reload4j
 
Oracle Storagetek Acsls
 

Affected Versions

Apache Log4j:

Exploit Probability

EPSS
0.03%
Percentile
8.89%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.