CVE-2026-34477

MEDIUM EPSS 31.4%
Published Apr 10, 20262mo ago · Modified Jun 17, 20262w ago
6.3 CVSS 4.0
Medium
Find Similar
Published Apr 10, 2026 2mo ago
Last Modified Jun 17, 2026 2w ago

Description

The fix for CVE-2025-68161 https://logging.apache.org/security.html#CVE-2025-68161 was incomplete: it addressed hostname verification only when enabled via the log4j2.sslVerifyHostName https://logging.apache.org/log4j/2.x/manual/systemproperties.html#log4j2.sslVerifyHostName system property, but not when configured through the verifyHostName https://logging.apache.org/log4j/2.x/manual/appenders/network.html#SslConfiguration-attr-verifyHostName attribute of the <Ssl> element. Although the verifyHostName configuration attribute was introduced in Log4j Core 2.12.0, it was silently ignored in all versions through 2.25.3, leaving TLS connections vulnerable to interception regardless of the configured value. A network-based attacker may be able to perform a man-in-the-middle attack when all of the following conditions are met: * An SMTP, Socket, or Syslog appender is in use. * TLS is configured via a nested <Ssl> element. * The attacker can present a certificate issued by a CA trusted by the appender's configured trust store, or by the default Java trust store if none is configured. This issue does not affect users of the HTTP appender, which uses a separate verifyHostname https://logging.apache.org/log4j/2.x/manual/appenders/network.html#HttpAppender-attr-verifyHostName attribute that was not subject to this bug and verifies host names by default. Users are advised to upgrade to Apache Log4j Core 2.25.4, which corrects this issue.

CVSS Details

Base Score
6.3
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Network
Attack Complexity High
Privileges Required None
User Interaction None
Scope X

Threat Intelligence

EPSS Exploit Probability
31.4% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 2

CWE-295
CWE-297

Affected Products 7

VendorProductVersionRange
apachelog4j*≥2.12.0  –  <2.25.4
apachelog4j3.0.0any
apachelog4j3.0.0any
apachelog4j3.0.0any
apachelog4j3.0.0any
apachelog4j3.0.0any
apachelog4j3.0.0any

References 5

  • github.com https://github.com/apache/logging-log4j2/pull/4075
    Issue TrackingPatch
  • lists.apache.org https://lists.apache.org/thread/lkx8cl46t2bvkcwfcb2pd43ygc097lq4
    Mailing List
  • logging.apache.org https://logging.apache.org/cyclonedx/vdr.xml
    Vendor Advisory
  • logging.apache.org https://logging.apache.org/log4j/2.x/manual/appenders/network.html#SslConfiguration-attr-verifyHostName
    Product
  • logging.apache.org https://logging.apache.org/security.html#CVE-2026-34477
    Vendor Advisory

Remediation

  • github.com https://github.com/apache/logging-log4j2/pull/4075
    Issue TrackingPatch