Vulnerability Description
Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender. Fixed in Apache Log4j 2.12.3 and 2.13.1
CVSS Score
LOW
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache | Log4J | >= 2.0, < 2.3.2 |
| Oracle | Communications Application Session Controller | 3.9m0p1 |
| Oracle | Communications Billing And Revenue Management | 7.5.0.23.0 |
| Oracle | Communications Eagle Ftp Table Base Retrieval | 4.5 |
| Oracle | Communications Offline Mediation Controller | 12.0.0.3.0 |
| Oracle | Communications Services Gatekeeper | 7.0 |
| Oracle | Communications Unified Inventory Management | 7.3.0 |
| Oracle | Data Integrator | 12.2.1.3.0 |
| Oracle | Enterprise Manager For Peoplesoft | 13.4.1.1 |
| Oracle | Financial Services Analytical Applications Infrastructure | >= 8.0.6.0.0, <= 8.1.0.0.0 |
| Oracle | Financial Services Institutional Performance Analytics | 8.0.6 |
| Oracle | Financial Services Market Risk Measurement And Management | 8.0.6 |
| Oracle | Financial Services Price Creation And Discovery | 8.0.6 |
| Oracle | Financial Services Retail Customer Analytics | 8.0.6 |
| Oracle | Flexcube Core Banking | >= 11.5.0, <= 11.7.0 |
| Oracle | Flexcube Private Banking | 12.0.0 |
| Oracle | Health Sciences Information Manager | 3.0.1 |
| Oracle | Insurance Insbridge Rating And Underwriting | >= 5.0.0.0, <= 5.6.0.0 |
| Oracle | Insurance Policy Administration J2Ee | 10.2.0.37 |
| Oracle | Insurance Rules Palette | 10.2.0.37 |
Related Weaknesses (CWE)
References
- https://issues.apache.org/jira/browse/LOG4J2-2819Issue TrackingMitigationPatch
- https://lists.apache.org/thread.html/r0a2699f724156a558afd1abb6c044fb9132caa66dc
- https://lists.apache.org/thread.html/r0df3d7a5acb98c57e64ab9266aa21eeee1d9b399ad
- https://lists.apache.org/thread.html/r1fc73f0e16ec2fa249d3ad39a5194afb9cc5afb4c0
- https://lists.apache.org/thread.html/r22a56beb76dd8cf18e24fda9072f1e05990f49d643
- https://lists.apache.org/thread.html/r2721aba31a8562639c4b937150897e24f78f747cdb
- https://lists.apache.org/thread.html/r2f209d271349bafd91537a558a279c08ebcff8fa3e
- https://lists.apache.org/thread.html/r33864a0fc171c1c4bf680645ebb6d4f8057899ab29
- https://lists.apache.org/thread.html/r393943de452406f0f6f4b3def9f8d3c071f96323c1
- https://lists.apache.org/thread.html/r3d1d00441c55144a4013adda74b051ae7864128ebc
- https://lists.apache.org/thread.html/r4285398e5585a0456d3d9db021a4fce6e6fcf3ec02
- https://lists.apache.org/thread.html/r45916179811a32cbaa500f972de9098e6ee80ee81c
- https://lists.apache.org/thread.html/r48bcd06049c1779ef709564544c3d8a32ae6ee5c3b
- https://lists.apache.org/thread.html/r48efc7cb5aeb4e1f67aaa06fb4b5479a5635d12f07
- https://lists.apache.org/thread.html/r4d5dc9f3520071338d9ebc26f9f158a43ae28a9192
FAQ
What is CVE-2020-9488?
CVE-2020-9488 is a vulnerability with a CVSS score of 3.7 (LOW). Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messa...
How severe is CVE-2020-9488?
CVE-2020-9488 has been rated LOW with a CVSS base score of 3.7/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-9488?
Check the references section above for vendor advisories and patch information. Affected products include: Apache Log4J, Oracle Communications Application Session Controller, Oracle Communications Billing And Revenue Management, Oracle Communications Eagle Ftp Table Base Retrieval, Oracle Communications Offline Mediation Controller.