0--pom.xml00-mvn/dependencies/log/pom.xml71CD7067FBC59DD5193C658794A60BF000CVE-2026-34477: CVE-2026-34477 CVE-2026-34477: Apache Log4j Core: `verifyHostName` attribute silently ignored in TLS configuration For additional help see: **Your dependency is vulnerable to [CVE-2026-34477](https://osv.dev/CVE-2026-34477)**. ## [GHSA-6hg6-v5c8-fphq](https://osv.dev/GHSA-6hg6-v5c8-fphq) <details> <summary>Details</summary> > The fix for CVE-2025-68161 was incomplete: it addressed hostname verification only when enabled via the [`log4j2.sslVerifyHostName`](https://logging.apache.org/log4j/2.x/manual/systemproperties.html#log4j2.sslVerifyHostName) system property, but not when configured through the [`verifyHostName`](https://logging.apache.org/log4j/2.x/manual/appenders/network.html#SslConfiguration-attr-verifyHostName) attribute of the `<Ssl>` element. > > Although the `verifyHostName` configuration attribute was introduced in Log4j Core 2.12.0, it was silently ignored in all versions through 2.25.3, leaving TLS connections vulnerable to interception regardless of the configured value. > > A network-based attacker may be able to perform a man-in-the-middle attack when all of the following conditions are met: > > * An SMTP, Socket, or Syslog appender is in use. > * TLS is configured via a nested <Ssl> element. > * The attacker can present a certificate issued by a CA trusted by the appender's configured trust store, or by the default Java trust store if none is configured. > > This issue does not affect users of the HTTP appender, which uses a separate [`verifyHostname`](https://logging.apache.org/log4j/2.x/manual/appenders/network.html#HttpAppender-attr-verifyHostName) attribute that was not subject to this bug and verifies host names by default. > > Users are advised to upgrade to Apache Log4j Core 2.25.4, which corrects this issue. </details> --- ### Affected Packages | Source | Package Name | Package Version | | --- | --- | --- | | lockfile:/var/lib/jenkins/workspace/GovWay/mvn/dependencies/log/pom.xml | org.apache.logging.log4j:log4j-core | 2.25.3 | ## Remediation To fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below. ### Fixed Versions | Vulnerability ID | Package Name | Fixed Version | | --- | --- | --- | | GHSA-6hg6-v5c8-fphq | org.apache.logging.log4j:log4j-core | 2.25.4 | If you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an `osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency. See the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/ Add or append these values to the following config files to ignore this vulnerability: `/var/lib/jenkins/workspace/GovWay/mvn/dependencies/log/osv-scanner.toml` ``` [[IgnoredVulns]] id = "CVE-2026-34477" reason = "Your reason for ignoring this vulnerability" ``` Package 'org.apache.logging.log4j:log4j-core@2.25.3' is vulnerable to 'CVE-2026-34477' (also known as 'GHSA-6hg6-v5c8-fphq').dependencies.logosvOSV-Scanner-1445NORMALpom.xml(0,0): CVE-2026-34477: : CVE-2026-34477: CVE-2026-34477 CVE-2026-34477: Apache Log4j Core: `verifyHostName` attribute silently ignored in TLS configuration For additional help see: **Your dependency is vulnerable to [CVE-2026-34477](https://osv.dev/CVE-2026-34477)**. ## [GHSA-6hg6-v5c8-fphq](https://osv.dev/GHSA-6hg6-v5c8-fphq) <details> <summary>Details</summary> > The fix for CVE-2025-68161 was incomplete: it addressed hostname verification only when enabled via the [`log4j2.sslVerifyHostName`](https://logging.apache.org/log4j/2.x/manual/systemproperties.html#log4j2.sslVerifyHostName) system property, but not when configured through the [`verifyHostName`](https://logging.apache.org/log4j/2.x/manual/appenders/network.html#SslConfiguration-attr-verifyHostName) attribute of the `<Ssl>` element. > > Although the `verifyHostName` configuration attribute was introduced in Log4j Core 2.12.0, it was silently ignored in all versions through 2.25.3, leaving TLS connections vulnerable to interception regardless of the configured value. > > A network-based attacker may be able to perform a man-in-the-middle attack when all of the following conditions are met: > > * An SMTP, Socket, or Syslog appender is in use. > * TLS is configured via a nested <Ssl> element. > * The attacker can present a certificate issued by a CA trusted by the appender's configured trust store, or by the default Java trust store if none is configured. > > This issue does not affect users of the HTTP appender, which uses a separate [`verifyHostname`](https://logging.apache.org/log4j/2.x/manual/appenders/network.html#HttpAppender-attr-verifyHostName) attribute that was not subject to this bug and verifies host names by default. > > Users are advised to upgrade to Apache Log4j Core 2.25.4, which corrects this issue. </details> --- ### Affected Packages | Source | Package Name | Package Version | | --- | --- | --- | | lockfile:/var/lib/jenkins/workspace/GovWay/mvn/dependencies/log/pom.xml | org.apache.logging.log4j:log4j-core | 2.25.3 | ## Remediation To fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below. ### Fixed Versions | Vulnerability ID | Package Name | Fixed Version | | --- | --- | --- | | GHSA-6hg6-v5c8-fphq | org.apache.logging.log4j:log4j-core | 2.25.4 | If you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an `osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency. See the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/ Add or append these values to the following config files to ignore this vulnerability: `/var/lib/jenkins/workspace/GovWay/mvn/dependencies/log/osv-scanner.toml` ``` [[IgnoredVulns]] id = "CVE-2026-34477" reason = "Your reason for ignoring this vulnerability" ``` Package 'org.apache.logging.log4j:log4j-core@2.25.3' is vulnerable to 'CVE-2026-34477' (also known as 'GHSA-6hg6-v5c8-fphq').CVE-2026-3447711 warning (normal: 1)