Vulnerabilities

 1 via 1 paths

Dependencies

 38

Source

 GitHub

Commit

 186b81c4

Find, fix and prevent vulnerabilities in your code.

Test and protect my applications
Issue type
  • 1
  • 1
Severity
  • 2
Status
  • 2
  • 0
  • 0

medium severity

Improper Validation of Certificate with Host Mismatch

  • Vulnerable module: org.apache.logging.log4j:log4j-core
  • Introduced through: com.amazonaws:aws-lambda-java-log4j2@1.6.0

Detailed paths

  • Introduced through: l0s/fernet-java8@l0s/fernet-java8#186b81c4cae229793cb5eccb4d4de3094397beff com.amazonaws:aws-lambda-java-log4j2@1.6.0 org.apache.logging.log4j:log4j-core@2.17.1

Overview

org.apache.logging.log4j:log4j-core is a logging library for Java.

Affected versions of this package are vulnerable to Improper Validation of Certificate with Host Mismatch due to the lack of TLS hostname verification in the SocketAppender component. An attacker can intercept or redirect log traffic by performing a man-in-the-middle attack if they are able to intercept or redirect network traffic between the client and the log receiver and can present a server certificate issued by a certification authority trusted by the configured trust store or the default Java trust store.

Workaround

This vulnerability can be mitigated by configuring the SocketAppender to use a private or restricted trust root to limit the set of trusted certificates.

Remediation

Upgrade org.apache.logging.log4j:log4j-core to version 2.25.3 or higher.

References

Improper Validation of Certificate with Host Mismatch vulnerability report

medium severity

EPL-1.0 license

  • Module: junit:junit
  • Introduced through: com.amazonaws:aws-lambda-java-log4j2@1.6.0

Detailed paths

  • Introduced through: l0s/fernet-java8@l0s/fernet-java8#186b81c4cae229793cb5eccb4d4de3094397beff com.amazonaws:aws-lambda-java-log4j2@1.6.0 org.apache.logging.log4j:log4j-core@2.17.1 org.junit.vintage:junit-vintage-engine@5.7.2 junit:junit@4.13.2

EPL-1.0 license

EPL-1.0 license vulnerability report