CNNVD-202512-3348 Information
CNNVD ID
CNNVD-202512-3348
Related CVE
- CNNVD Published: 2025-12-18
Description (Chinese)
Apache Log4j是美国阿帕奇(Apache)基金会的一款基于Java的开源日志记录工具。 Apache Log4j 2.25.2及之前版本存在安全漏洞,该漏洞源于未执行TLS主机名验证,可能导致中间人攻击。
Description (English)
Apache Log4j is a Java-based open source log recording tool for the Apache Foundation in the United States. There is a security gap in Apache Log4j 2.25.2 and earlier versions, which stems from the non-implementation of TLS hostname verification, which could lead to an attack by an intermediary.
Hazard Level
Critical
Vulnerability Type
其他
Affected Vendor
阿帕奇
Published
2025-12-18
Last Modified
2026-02-24
References
http://www.openwall.com/lists/oss-security/2025/12/18/1 https://lists.apache.org/thread/xr33kyxq3sl67lwb61ggvm1fzc8k7dvx https://logging.apache.org/log4j/2.x/manual/systemproperties.html#log4j2.sslVerifyHostName https://github.com/apache/logging-log4j2/pull/4002 https://logging.apache.org/security.html#CVE-2025-68161 https://logging.apache.org/cyclonedx/vdr.xml https://logging.apache.org/log4j/2.x/manual/appenders/network.html#SslConfiguration-attr-verifyHostName https://access.redhat.com/security/cve/cve-2025-68161 https://www.oracle.com/security-alerts/cpujan2026.html
Patch
https://lists.apache.org/thread/xr33kyxq3sl67lwb61ggvm1fzc8k7dvx
Share on: