CVE-2025-68161
TLS Hostname Verification Bypass in Apache Log4j Socket Appender
Publication date: 2025-12-18
Last updated on: 2025-12-18
Assigner: Apache Software Foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apache | log4j_core | 2.25.3 |
| apache | log4j_core | 2.25.2 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-297 | The product communicates with a host that provides a certificate, but the product does not properly ensure that the certificate is actually associated with that host. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-68161 is a vulnerability in the Apache Log4j Core's Socket Appender component (versions 2.0-beta9 through 2.25.2) where TLS hostname verification of the peer certificate is not performed, even if the configuration or system property to enable it is set to true. This flaw allows a man-in-the-middle attacker who can intercept or redirect network traffic between the client and the log receiver to present a trusted server certificate and intercept or redirect log traffic. Essentially, the Socket Appender fails to verify that the server it is communicating with matches the expected hostname, which can lead to interception or manipulation of log data. [1]
How can this vulnerability impact me? :
This vulnerability can allow a man-in-the-middle attacker to intercept or redirect log traffic between the client and the log receiver if the attacker can intercept or redirect network traffic and present a trusted certificate. This could lead to exposure of sensitive log information or manipulation of log data, potentially enabling further attacks or data breaches. The impact includes a low confidentiality impact but can compromise the integrity and trustworthiness of log data. [1]
What immediate steps should I take to mitigate this vulnerability?
To mitigate CVE-2025-68161, immediately upgrade Apache Log4j Core to version 2.25.3, which fixes the TLS hostname verification issue in the Socket Appender. As an alternative or additional mitigation, configure the Socket Appender to use a private or restricted trust store to limit the set of trusted certificates, reducing the risk of man-in-the-middle attacks. These steps help ensure proper hostname verification and prevent interception or redirection of log traffic. [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in Apache Log4j Core's Socket Appender allows a man-in-the-middle attacker to intercept or redirect log traffic, potentially exposing sensitive information contained in logs. This exposure could lead to non-compliance with data protection standards and regulations such as GDPR and HIPAA, which require the protection of personal and sensitive data during transmission. Failure to ensure secure logging transmission may result in unauthorized access to sensitive data, thereby impacting compliance. Mitigation involves upgrading to version 2.25.3 or restricting the trust store to limit trusted certificates, reducing the risk of interception. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
The provided resources do not include specific commands or methods to detect the CVE-2025-68161 vulnerability on a network or system. The vulnerability involves the Socket Appender in Apache Log4j Core failing to perform TLS hostname verification, which is a configuration and code-level issue rather than something easily detected by network scanning commands. Detection would typically involve verifying the Log4j Core version in use (versions 2.0-beta9 through 2.25.2 are vulnerable) and checking the configuration of the Socket Appender for TLS hostname verification settings. However, no explicit detection commands or network scanning techniques are provided in the available resources.