CVE-2020-9488
First published: Sat Apr 25 2020(Updated: )
Apache Log4j is vulnerable to a man-in-the-middle attack, caused by improper certificate validation with host mismatch in the SMTP appender. An attacker could exploit this vulnerability to launch a man-in-the-middle attack and gain access to the communication channel between endpoints to obtain sensitive information or further compromise the system.
Credit: security@apache.org security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| debian/apache-log4j2 | 2.17.1-1~deb10u1 2.17.0-1~deb10u1 2.17.1-1~deb11u1 2.17.0-1~deb11u1 2.19.0-2 | |
| redhat/qpid-cpp | <0:1.36.0-31.el6_10a | 0:1.36.0-31.el6_10a |
| redhat/qpid-proton | <0:0.32.0-1.el6_10 | 0:0.32.0-1.el6_10 |
| redhat/qpid-cpp | <0:1.36.0-31.el7a | 0:1.36.0-31.el7a |
| redhat/qpid-proton | <0:0.32.0-2.el7 | 0:0.32.0-2.el7 |
| redhat/nodejs-rhea | <0:1.0.24-1.el8 | 0:1.0.24-1.el8 |
| redhat/qpid-proton | <0:0.32.0-2.el8 | 0:0.32.0-2.el8 |
| redhat/log4j | <2.13.2 | 2.13.2 |
| maven/org.apache.logging.log4j:log4j-core | <2.3.2 | 2.3.2 |
| maven/org.apache.logging.log4j:log4j-core | >=2.4.0<2.12.3 | 2.12.3 |
| maven/org.apache.logging.log4j:log4j | <2.3.2 | 2.3.2 |
| maven/org.apache.logging.log4j:log4j | >=2.4.0<2.12.3 | 2.12.3 |
| maven/org.apache.logging.log4j:log4j-core | >=2.13.0<2.13.2 | 2.13.2 |
| maven/org.apache.logging.log4j:log4j | >=2.13.0<2.13.2 | 2.13.2 |
| Apache Log4j | >=2.0<2.3.2 | |
| Apache Log4j | >=2.4<2.12.3 | |
| Apache Log4j | >=2.13.0<2.13.2 | |
| Oracle Communications Application Session Controller | =3.9m0p1 | |
| Oracle Communications Billing and Revenue Management | =7.5.0.23.0 | |
| Oracle Communications Billing and Revenue Management | =12.0.0.3.0 | |
| Oracle Communications Eagle Ftp Table Base Retrieval | =4.5 | |
| Oracle Communications Offline Mediation Controller | =12.0.0.3.0 | |
| Oracle Communications Services Gatekeeper | =7.0 | |
| Oracle Communications Unified Inventory Management | =7.3.0 | |
| Oracle Communications Unified Inventory Management | =7.4.0 | |
| Oracle Data Integrator | =12.2.1.3.0 | |
| Oracle Data Integrator | =12.2.1.4.0 | |
| Oracle Enterprise Manager For Peoplesoft | =13.4.1.1 | |
| Oracle Financial Services Analytical Applications Infrastructure | >=8.0.6.0.0<=8.1.0.0.0 | |
| Oracle Financial Services Institutional Performance Analytics | =8.0.6 | |
| Oracle Financial Services Institutional Performance Analytics | =8.1.0 | |
| Oracle Financial Services Institutional Performance Analytics | =8.7.0 | |
| Oracle Financial Services Market Risk Measurement and Management | =8.0.6 | |
| Oracle Financial Services Market Risk Measurement and Management | =8.0.8 | |
| Oracle Financial Services Market Risk Measurement and Management | =8.1.0 | |
| Oracle Financial Services Price Creation and Discovery | =8.0.6 | |
| Oracle Financial Services Price Creation and Discovery | =8.0.7 | |
| Oracle Financial Services Retail Customer Analytics | =8.0.6 | |
| Oracle FLEXCUBE Core Banking | >=11.5.0<=11.7.0 | |
| Oracle FLEXCUBE Core Banking | =5.2.0 | |
| Oracle FLEXCUBE Private Banking | =12.0.0 | |
| Oracle FLEXCUBE Private Banking | =12.1.0 | |
| Oracle Health Sciences Information Manager | =3.0.1 | |
| Oracle Insurance Insbridge Rating And Underwriting | >=5.0.0.0<=5.6.0.0 | |
| Oracle Insurance Insbridge Rating And Underwriting | =5.6.1.0 | |
| Oracle Insurance Policy Administration J2EE | =10.2.0.37 | |
| Oracle Insurance Policy Administration J2EE | =10.2.4.12 | |
| Oracle Insurance Policy Administration J2EE | =11.0.2.25 | |
| Oracle Insurance Policy Administration J2EE | =11.1.0.15 | |
| Oracle Insurance Policy Administration J2EE | =11.2.0.26 | |
| Oracle Insurance Rules Palette | =10.2.0.37 | |
| Oracle Insurance Rules Palette | =10.2.4.12 | |
| Oracle Insurance Rules Palette | =11.0.2.25 | |
| Oracle Insurance Rules Palette | =11.1.0.15 | |
| Oracle Insurance Rules Palette | =11.2.0.26 | |
| Oracle Jd Edwards World Security | =a9.4 | |
| Oracle Oracle Goldengate Application Adapters | =19.1.0.0.0 | |
| Oracle PeopleSoft Enterprise PeopleTools | =8.56 | |
| Oracle PeopleSoft Enterprise PeopleTools | =8.57 | |
| Oracle PeopleSoft Enterprise PeopleTools | =8.58 | |
| Oracle Policy Automation | >=12.2.0<=12.2.20 | |
| Oracle Policy Automation Connector For Siebel | =10.4.6 | |
| Oracle Policy Automation For Mobile Devices | >=12.2.0<=12.2.20 | |
| Oracle Primavera Unifier | =18.8 | |
| Oracle Primavera Unifier | =19.12 | |
| Oracle Retail Advanced Inventory Planning | =14.1 | |
| Oracle Retail Assortment Planning | =15.0.3.0 | |
| Oracle Retail Assortment Planning | =16.0.3.0 | |
| Oracle Retail Bulk Data Integration | =15.0.3.0 | |
| Oracle Retail Bulk Data Integration | =16.0.3.0 | |
| Oracle Retail Customer Management and Segmentation Foundation | =16.0 | |
| Oracle Retail Customer Management and Segmentation Foundation | =17.0 | |
| Oracle Retail Customer Management and Segmentation Foundation | =18.0 | |
| Oracle Retail Customer Management and Segmentation Foundation | =19.0 | |
| Oracle Retail Eftlink | =15.0.2 | |
| Oracle Retail Eftlink | =16.0.3 | |
| Oracle Retail Eftlink | =17.0.2 | |
| Oracle Retail Eftlink | =18.0.1 | |
| Oracle Retail Eftlink | =19.0.1 | |
| Oracle Retail Insights Cloud Service Suite | =19.0 | |
| Oracle Retail Integration Bus | =14.1 | |
| Oracle Retail Integration Bus | =15.0 | |
| Oracle Retail Integration Bus | =16.0 | |
| Oracle Retail Order Broker Cloud Service | =16.0 | |
| Oracle Retail Order Broker Cloud Service | =18.0 | |
| Oracle Retail Order Broker Cloud Service | =19.0 | |
| Oracle Retail Order Broker Cloud Service | =19.1 | |
| Oracle Retail Order Broker Cloud Service | =19.2 | |
| Oracle Retail Order Broker Cloud Service | =19.3 | |
| Oracle Retail Predictive Application Server | =14.1.3.0 | |
| Oracle Retail Predictive Application Server | =15.0.3.0 | |
| Oracle Retail Predictive Application Server | =16.0.3.0 | |
| Oracle Retail Xstore Point of Service | =15.0.4 | |
| Oracle Retail Xstore Point of Service | =16.0.6 | |
| Oracle Retail Xstore Point of Service | =17.0.4 | |
| Oracle Retail Xstore Point of Service | =18.0.3 | |
| Oracle Retail Xstore Point of Service | =19.0.2 | |
| Oracle Siebel Apps - Marketing | <=21.9 | |
| Oracle Siebel Ui Framework | <=21.2 | |
| Oracle Spatial And Graph | =12.2.0.1 | |
| Oracle Spatial And Graph | =18c | |
| Oracle Spatial And Graph | =19c | |
| Oracle Storagetek Acsls | =8.5.1 | |
| Oracle Storagetek Tape Analytics Sw Tool | =2.3.1 | |
| Oracle Utilities Framework | >=4.3.0.1.0<=4.3.0.6.0 | |
| Oracle Utilities Framework | =2.2.0.0.0 | |
| Oracle Utilities Framework | =4.2.0.2.0 | |
| Oracle Utilities Framework | =4.2.0.3.0 | |
| Oracle Utilities Framework | =4.4.0.0.0 | |
| Oracle Utilities Framework | =4.4.0.2.0 | |
| Oracle WebLogic Server | =10.3.6.0.0 | |
| Debian Debian Linux | =9.0 | |
| Debian Debian Linux | =10.0 | |
| Debian Debian Linux | =11.0 | |
| Qos Reload4j | <1.2.18.3 | |
| IBM QRadar SIEM | <=7.5.0 GA | |
| IBM QRadar SIEM | <=7.4.3 GA - 7.4.3 FP4 | |
| IBM QRadar SIEM | <=7.3.3 GA - 7.3.3 FP10 |
Remedy
Previous versions can set the system property mail.smtp.ssl.checkserveridentity to true to globally enable hostname verification for SMTPS connections.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://issues.apache.org/jira/browse/LOG4J2-2819
- https://security-tracker.debian.org/tracker/CVE-2020-9488
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9488
- https://www.openwall.com/lists/oss-security/2020/04/25/1
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=959450
- https://gitbox.apache.org/repos/asf?p=logging-log4j2.git;h=6851b5083ef9610bae320bf07e1f24d2aa08851b
- https://gitbox.apache.org/repos/asf?p=logging-log4j2.git;h=fb91a3d71e2f3dadad6fd1beb2ab857f44fe8bbb
- https://www.cve.org/CVERecord?id=CVE-2020-9488 https://nvd.nist.gov/vuln/detail/CVE-2020-9488
- https://bugzilla.redhat.com/show_bug.cgi?id=1831139
- https://access.redhat.com/errata/RHSA-2020:3817
- https://access.redhat.com/errata/RHSA-2020:3626
- https://access.redhat.com/errata/RHSA-2021:0603
- https://access.redhat.com/errata/RHSA-2020:3779
- https://access.redhat.com/errata/RHSA-2022:0497
- https://access.redhat.com/errata/RHSA-2022:0507
- https://access.redhat.com/errata/RHSA-2020:5568
- https://access.redhat.com/errata/RHSA-2021:5134
- https://access.redhat.com/errata/RHSA-2021:1044
- https://access.redhat.com/errata/RHSA-2020:2391
- https://access.redhat.com/security/cve/cve-2020-9488
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1831142
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1831143
- https://github.com/apache/logging-log4j2/commit/6851b50/
- https://access.redhat.com/support/policy/updates/jboss_notes
- https://nvd.nist.gov/vuln/detail/CVE-2020-9488
- https://lists.apache.org/thread.html/r0a2699f724156a558afd1abb6c044fb9132caa66dce861b82699722a@%3Cjira.kafka.apache.org%3E
- https://lists.apache.org/thread.html/r0df3d7a5acb98c57e64ab9266aa21eeee1d9b399addb96f9cf1cbe05@%3Cdev.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/r2f209d271349bafd91537a558a279c08ebcff8fa3e547357d58833e6@%3Cdev.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/r4285398e5585a0456d3d9db021a4fce6e6fcf3ec027dfa13a450ec98@%3Cissues.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/r48bcd06049c1779ef709564544c3d8a32ae6ee5c3b7281a606ac4463@%3Cjira.kafka.apache.org%3E
- https://lists.apache.org/thread.html/r48efc7cb5aeb4e1f67aaa06fb4b5479a5635d12f07d0b93fc2d08809@%3Ccommits.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/r7641ee788e1eb1be4bb206a7d15f8a64ec6ef23e5ec6132d5a567695@%3Cnotifications.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/r7e5c10534ed06bf805473ac85e8412fe3908a8fa4cabf5027bf11220@%3Cdev.kafka.apache.org%3E
- https://lists.apache.org/thread.html/r7e739f2961753af95e2a3a637828fb88bfca68e5d6b0221d483a9ee5@%3Cnotifications.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/r8c001b9a95c0bbec06f4457721edd94935a55932e64b82cc5582b846@%3Cissues.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/r8e96c340004b7898cad3204ea51280ef6e4b553a684e1452bf1b18b1@%3Cjira.kafka.apache.org%3E
- https://lists.apache.org/thread.html/r9a79175c393d14d760a0ae3731b4a873230a16ef321aa9ca48a810cd@%3Cissues.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/rbc45eb0f53fd6242af3e666c2189464f848a851d408289840cecc6e3@%3Ccommits.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/rc6b81c013618d1de1b5d6b8c1088aaf87b4bacc10c2371f15a566701@%3Cnotifications.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/rd55f65c6822ff235eda435d31488cfbb9aa7055cdf47481ebee777cc@%3Cissues.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/rd8e87c4d69df335d0ba7d815b63be8bd8a6352f429765c52eb07ddac@%3Cissues.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/rec34b1cccf907898e7cb36051ffac3ccf1ea89d0b261a2a3b3fb267f@%3Ccommits.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/rf1c2a81a08034c688b8f15cf58a4cfab322d00002ca46d20133bee20@%3Cdev.kafka.apache.org%3E
- https://security.netapp.com/advisory/ntap-20200504-0003/
- https://lists.apache.org/thread.html/r393943de452406f0f6f4b3def9f8d3c071f96323c1f6ed1a098f7fe4@%3Ctorque-dev.db.apache.org%3E
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://lists.apache.org/thread.html/r1fc73f0e16ec2fa249d3ad39a5194afb9cc5afb4c023dc0bab5a5881@%3Cissues.hive.apache.org%3E
- https://lists.apache.org/thread.html/r4db540cafc5d7232c62e076051ef661d37d345015b2e59b3f81a932f@%3Cdev.hive.apache.org%3E
- https://lists.apache.org/thread.html/r4ed1f49616a8603832d378cb9d13e7a8b9b27972bb46d946ccd8491f@%3Cissues.hive.apache.org%3E
- https://lists.apache.org/thread.html/r65578f3761a89bc164e8964acd5d913b9f8fd997967b195a89a97ca3@%3Cissues.hive.apache.org%3E
- https://lists.apache.org/thread.html/r9776e71e3c67c5d13a91c1eba0dc025b48b802eb7561cc6956d6961c@%3Cissues.hive.apache.org%3E
- https://lists.apache.org/thread.html/ra632b329b2ae2324fabbad5da204c4ec2e171ff60348ec4ba698fd40@%3Cissues.hive.apache.org%3E
- https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26@%3Ccommits.pulsar.apache.org%3E
- https://lists.apache.org/thread.html/re024d86dffa72ad800f2848d0c77ed93f0b78ee808350b477a6ed987@%3Cgitbox.hive.apache.org%3E
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://lists.apache.org/thread.html/rbc7642b9800249553f13457e46b813bea1aec99d2bc9106510e00ff3@%3Ctorque-dev.db.apache.org%3E
- https://lists.apache.org/thread.html/r22a56beb76dd8cf18e24fda9072f1e05990f49d6439662d3782a392f@%3Cissues.hive.apache.org%3E
- https://lists.apache.org/thread.html/r2721aba31a8562639c4b937150897e24f78f747cdbda8641c0f659fe@%3Cusers.kafka.apache.org%3E
- https://lists.apache.org/thread.html/r33864a0fc171c1c4bf680645ebb6d4f8057899ab294a43e1e4fe9d04@%3Cissues.hive.apache.org%3E
- https://lists.apache.org/thread.html/r3d1d00441c55144a4013adda74b051ae7864128ebcfb6ee9721a2eb3@%3Cissues.hive.apache.org%3E
- https://lists.apache.org/thread.html/r45916179811a32cbaa500f972de9098e6ee80ee81c7f134fce83e03a@%3Cissues.flink.apache.org%3E
- https://lists.apache.org/thread.html/r4d5dc9f3520071338d9ebc26f9f158a43ae28a91923d176b550a807b@%3Cdev.hive.apache.org%3E
- https://lists.apache.org/thread.html/r5a68258e5ab12532dc179edae3d6e87037fa3b50ab9d63a90c432507@%3Cissues.hive.apache.org%3E
- https://lists.apache.org/thread.html/ra051e07a0eea4943fa104247e69596f094951f51512d42c924e86c75@%3Cissues.hive.apache.org%3E
- https://lists.apache.org/thread.html/rc2dbc4633a6eea1fcbce6831876cfa17b73759a98c65326d1896cb1a@%3Ctorque-dev.db.apache.org%3E
- https://lists.apache.org/thread.html/rd5d58088812cf8e677d99b07f73c654014c524c94e7fedbdee047604@%3Ctorque-dev.db.apache.org%3E
- https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772@%3Cdev.mina.apache.org%3E
- https://lists.debian.org/debian-lts-announce/2021/12/msg00017.html
- https://www.debian.org/security/2021/dsa-5020
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://github.com/advisories/GHSA-vwqq-5vrc-xw9h (Advisory)
- https://lists.apache.org/thread.html/r0a2699f724156a558afd1abb6c044fb9132caa66dce861b82699722a%40%3Cjira.kafka.apache.org%3E
- https://lists.apache.org/thread.html/r0df3d7a5acb98c57e64ab9266aa21eeee1d9b399addb96f9cf1cbe05%40%3Cdev.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/r1fc73f0e16ec2fa249d3ad39a5194afb9cc5afb4c023dc0bab5a5881%40%3Cissues.hive.apache.org%3E
- https://lists.apache.org/thread.html/r22a56beb76dd8cf18e24fda9072f1e05990f49d6439662d3782a392f%40%3Cissues.hive.apache.org%3E
- https://lists.apache.org/thread.html/r2721aba31a8562639c4b937150897e24f78f747cdbda8641c0f659fe%40%3Cusers.kafka.apache.org%3E
- https://lists.apache.org/thread.html/r2f209d271349bafd91537a558a279c08ebcff8fa3e547357d58833e6%40%3Cdev.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/r33864a0fc171c1c4bf680645ebb6d4f8057899ab294a43e1e4fe9d04%40%3Cissues.hive.apache.org%3E
- https://lists.apache.org/thread.html/r393943de452406f0f6f4b3def9f8d3c071f96323c1f6ed1a098f7fe4%40%3Ctorque-dev.db.apache.org%3E
- https://lists.apache.org/thread.html/r3d1d00441c55144a4013adda74b051ae7864128ebcfb6ee9721a2eb3%40%3Cissues.hive.apache.org%3E
- https://lists.apache.org/thread.html/r4285398e5585a0456d3d9db021a4fce6e6fcf3ec027dfa13a450ec98%40%3Cissues.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/r45916179811a32cbaa500f972de9098e6ee80ee81c7f134fce83e03a%40%3Cissues.flink.apache.org%3E
- https://lists.apache.org/thread.html/r48bcd06049c1779ef709564544c3d8a32ae6ee5c3b7281a606ac4463%40%3Cjira.kafka.apache.org%3E
- https://lists.apache.org/thread.html/r48efc7cb5aeb4e1f67aaa06fb4b5479a5635d12f07d0b93fc2d08809%40%3Ccommits.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/r4d5dc9f3520071338d9ebc26f9f158a43ae28a91923d176b550a807b%40%3Cdev.hive.apache.org%3E
- https://lists.apache.org/thread.html/r4db540cafc5d7232c62e076051ef661d37d345015b2e59b3f81a932f%40%3Cdev.hive.apache.org%3E
- https://lists.apache.org/thread.html/r4ed1f49616a8603832d378cb9d13e7a8b9b27972bb46d946ccd8491f%40%3Cissues.hive.apache.org%3E
- https://lists.apache.org/thread.html/r5a68258e5ab12532dc179edae3d6e87037fa3b50ab9d63a90c432507%40%3Cissues.hive.apache.org%3E
- https://lists.apache.org/thread.html/r65578f3761a89bc164e8964acd5d913b9f8fd997967b195a89a97ca3%40%3Cissues.hive.apache.org%3E
- https://lists.apache.org/thread.html/r7641ee788e1eb1be4bb206a7d15f8a64ec6ef23e5ec6132d5a567695%40%3Cnotifications.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/r7e5c10534ed06bf805473ac85e8412fe3908a8fa4cabf5027bf11220%40%3Cdev.kafka.apache.org%3E
- https://lists.apache.org/thread.html/r7e739f2961753af95e2a3a637828fb88bfca68e5d6b0221d483a9ee5%40%3Cnotifications.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/r8c001b9a95c0bbec06f4457721edd94935a55932e64b82cc5582b846%40%3Cissues.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/r8e96c340004b7898cad3204ea51280ef6e4b553a684e1452bf1b18b1%40%3Cjira.kafka.apache.org%3E
- https://lists.apache.org/thread.html/r9776e71e3c67c5d13a91c1eba0dc025b48b802eb7561cc6956d6961c%40%3Cissues.hive.apache.org%3E
- https://lists.apache.org/thread.html/r9a79175c393d14d760a0ae3731b4a873230a16ef321aa9ca48a810cd%40%3Cissues.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/ra051e07a0eea4943fa104247e69596f094951f51512d42c924e86c75%40%3Cissues.hive.apache.org%3E
- https://lists.apache.org/thread.html/ra632b329b2ae2324fabbad5da204c4ec2e171ff60348ec4ba698fd40%40%3Cissues.hive.apache.org%3E
- https://lists.apache.org/thread.html/rbc45eb0f53fd6242af3e666c2189464f848a851d408289840cecc6e3%40%3Ccommits.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/rbc7642b9800249553f13457e46b813bea1aec99d2bc9106510e00ff3%40%3Ctorque-dev.db.apache.org%3E
- https://lists.apache.org/thread.html/rc2dbc4633a6eea1fcbce6831876cfa17b73759a98c65326d1896cb1a%40%3Ctorque-dev.db.apache.org%3E
- https://lists.apache.org/thread.html/rc6b81c013618d1de1b5d6b8c1088aaf87b4bacc10c2371f15a566701%40%3Cnotifications.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26%40%3Ccommits.pulsar.apache.org%3E
- https://lists.apache.org/thread.html/rd55f65c6822ff235eda435d31488cfbb9aa7055cdf47481ebee777cc%40%3Cissues.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/rd5d58088812cf8e677d99b07f73c654014c524c94e7fedbdee047604%40%3Ctorque-dev.db.apache.org%3E
- https://lists.apache.org/thread.html/rd8e87c4d69df335d0ba7d815b63be8bd8a6352f429765c52eb07ddac%40%3Cissues.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/re024d86dffa72ad800f2848d0c77ed93f0b78ee808350b477a6ed987%40%3Cgitbox.hive.apache.org%3E
- https://lists.apache.org/thread.html/rec34b1cccf907898e7cb36051ffac3ccf1ea89d0b261a2a3b3fb267f%40%3Ccommits.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/rf1c2a81a08034c688b8f15cf58a4cfab322d00002ca46d20133bee20%40%3Cdev.kafka.apache.org%3E
- https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3E
- https://exchange.xforce.ibmcloud.com/vulnerabilities/180824
- https://www.ibm.com/support/pages/node/6574453
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is the vulnerability ID?
The vulnerability ID is CVE-2020-9488.
What is the severity of CVE-2020-9488?
The severity of CVE-2020-9488 is high, with a severity value of 3.7.
Which software is affected by CVE-2020-9488?
The Apache Log4j SMTP appender versions 2.12.3 and 2.13.1 are affected by CVE-2020-9488.
How can CVE-2020-9488 be exploited?
CVE-2020-9488 can be exploited through a man-in-the-middle attack intercepting SMTPS connections and leaking log messages sent through the appender.
How do I fix CVE-2020-9488?
To fix CVE-2020-9488, upgrade to Apache Log4j version 2.13.2.
- collector/debian-bugs
- alias/CVE-2020-9488
- collector/security-tracker-debian
- collector/redhat-cve
- agent/type
- agent/first-publish-date
- agent/severity
- agent/remedy
- agent/weakness
- collector/redhat-bugzilla
- source/Red Hat
- agent/software-canonical-lookup
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-vwqq-5vrc-xw9h
- agent/description
- agent/author
- collector/github-advisory
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup-request
- collector/nvd-index
- agent/references
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/tags
- agent/event
- collector/ibm-support
- source/IBM
- package-manager/debian
- package-manager/redhat
- package-manager/maven
- vendor/apache
- canonical/apache log4j
- version/apache log4j/2.0
- version/apache log4j/2.4
- version/apache log4j/2.13.0
- vendor/oracle
- canonical/oracle communications application session controller
- version/oracle communications application session controller/3.9m0p1
- canonical/oracle communications billing and revenue management
- version/oracle communications billing and revenue management/7.5.0.23.0
- version/oracle communications billing and revenue management/12.0.0.3.0
- canonical/oracle communications eagle ftp table base retrieval
- version/oracle communications eagle ftp table base retrieval/4.5
- canonical/oracle communications offline mediation controller
- version/oracle communications offline mediation controller/12.0.0.3.0
- canonical/oracle communications services gatekeeper
- version/oracle communications services gatekeeper/7.0
- canonical/oracle communications unified inventory management
- version/oracle communications unified inventory management/7.3.0
- version/oracle communications unified inventory management/7.4.0
- canonical/oracle data integrator
- version/oracle data integrator/12.2.1.3.0
- version/oracle data integrator/12.2.1.4.0
- canonical/oracle enterprise manager for peoplesoft
- version/oracle enterprise manager for peoplesoft/13.4.1.1
- canonical/oracle financial services analytical applications infrastructure
- version/oracle financial services analytical applications infrastructure/8.0.6.0.0
- version/oracle financial services analytical applications infrastructure/8.1.0.0.0
- canonical/oracle financial services institutional performance analytics
- version/oracle financial services institutional performance analytics/8.0.6
- version/oracle financial services institutional performance analytics/8.1.0
- version/oracle financial services institutional performance analytics/8.7.0
- canonical/oracle financial services market risk measurement and management
- version/oracle financial services market risk measurement and management/8.0.6
- version/oracle financial services market risk measurement and management/8.0.8
- version/oracle financial services market risk measurement and management/8.1.0
- canonical/oracle financial services price creation and discovery
- version/oracle financial services price creation and discovery/8.0.6
- version/oracle financial services price creation and discovery/8.0.7
- canonical/oracle financial services retail customer analytics
- version/oracle financial services retail customer analytics/8.0.6
- canonical/oracle flexcube core banking
- version/oracle flexcube core banking/11.5.0
- version/oracle flexcube core banking/11.7.0
- version/oracle flexcube core banking/5.2.0
- canonical/oracle flexcube private banking
- version/oracle flexcube private banking/12.0.0
- version/oracle flexcube private banking/12.1.0
- canonical/oracle health sciences information manager
- version/oracle health sciences information manager/3.0.1
- canonical/oracle insurance insbridge rating and underwriting
- version/oracle insurance insbridge rating and underwriting/5.0.0.0
- version/oracle insurance insbridge rating and underwriting/5.6.0.0
- version/oracle insurance insbridge rating and underwriting/5.6.1.0
- canonical/oracle insurance policy administration j2ee
- version/oracle insurance policy administration j2ee/10.2.0.37
- version/oracle insurance policy administration j2ee/10.2.4.12
- version/oracle insurance policy administration j2ee/11.0.2.25
- version/oracle insurance policy administration j2ee/11.1.0.15
- version/oracle insurance policy administration j2ee/11.2.0.26
- canonical/oracle insurance rules palette
- version/oracle insurance rules palette/10.2.0.37
- version/oracle insurance rules palette/10.2.4.12
- version/oracle insurance rules palette/11.0.2.25
- version/oracle insurance rules palette/11.1.0.15
- version/oracle insurance rules palette/11.2.0.26
- canonical/oracle jd edwards world security
- version/oracle jd edwards world security/a9.4
- canonical/oracle oracle goldengate application adapters
- version/oracle oracle goldengate application adapters/19.1.0.0.0
- canonical/oracle peoplesoft enterprise peopletools
- version/oracle peoplesoft enterprise peopletools/8.56
- version/oracle peoplesoft enterprise peopletools/8.57
- version/oracle peoplesoft enterprise peopletools/8.58
- canonical/oracle policy automation
- version/oracle policy automation/12.2.0
- version/oracle policy automation/12.2.20
- canonical/oracle policy automation connector for siebel
- version/oracle policy automation connector for siebel/10.4.6
- canonical/oracle policy automation for mobile devices
- version/oracle policy automation for mobile devices/12.2.0
- version/oracle policy automation for mobile devices/12.2.20
- canonical/oracle primavera unifier
- version/oracle primavera unifier/18.8
- version/oracle primavera unifier/19.12
- canonical/oracle retail advanced inventory planning
- version/oracle retail advanced inventory planning/14.1
- canonical/oracle retail assortment planning
- version/oracle retail assortment planning/15.0.3.0
- version/oracle retail assortment planning/16.0.3.0
- canonical/oracle retail bulk data integration
- version/oracle retail bulk data integration/15.0.3.0
- version/oracle retail bulk data integration/16.0.3.0
- canonical/oracle retail customer management and segmentation foundation
- version/oracle retail customer management and segmentation foundation/16.0
- version/oracle retail customer management and segmentation foundation/17.0
- version/oracle retail customer management and segmentation foundation/18.0
- version/oracle retail customer management and segmentation foundation/19.0
- canonical/oracle retail eftlink
- version/oracle retail eftlink/15.0.2
- version/oracle retail eftlink/16.0.3
- version/oracle retail eftlink/17.0.2
- version/oracle retail eftlink/18.0.1
- version/oracle retail eftlink/19.0.1
- canonical/oracle retail insights cloud service suite
- version/oracle retail insights cloud service suite/19.0
- canonical/oracle retail integration bus
- version/oracle retail integration bus/14.1
- version/oracle retail integration bus/15.0
- version/oracle retail integration bus/16.0
- canonical/oracle retail order broker cloud service
- version/oracle retail order broker cloud service/16.0
- version/oracle retail order broker cloud service/18.0
- version/oracle retail order broker cloud service/19.0
- version/oracle retail order broker cloud service/19.1
- version/oracle retail order broker cloud service/19.2
- version/oracle retail order broker cloud service/19.3
- canonical/oracle retail predictive application server
- version/oracle retail predictive application server/14.1.3.0
- version/oracle retail predictive application server/15.0.3.0
- version/oracle retail predictive application server/16.0.3.0
- canonical/oracle retail xstore point of service
- version/oracle retail xstore point of service/15.0.4
- version/oracle retail xstore point of service/16.0.6
- version/oracle retail xstore point of service/17.0.4
- version/oracle retail xstore point of service/18.0.3
- version/oracle retail xstore point of service/19.0.2
- canonical/oracle siebel apps - marketing
- version/oracle siebel apps - marketing/21.9
- canonical/oracle siebel ui framework
- version/oracle siebel ui framework/21.2
- canonical/oracle spatial and graph
- version/oracle spatial and graph/12.2.0.1
- version/oracle spatial and graph/18c
- version/oracle spatial and graph/19c
- canonical/oracle storagetek acsls
- version/oracle storagetek acsls/8.5.1
- canonical/oracle storagetek tape analytics sw tool
- version/oracle storagetek tape analytics sw tool/2.3.1
- canonical/oracle utilities framework
- version/oracle utilities framework/4.3.0.1.0
- version/oracle utilities framework/4.3.0.6.0
- version/oracle utilities framework/2.2.0.0.0
- version/oracle utilities framework/4.2.0.2.0
- version/oracle utilities framework/4.2.0.3.0
- version/oracle utilities framework/4.4.0.0.0
- version/oracle utilities framework/4.4.0.2.0
- canonical/oracle weblogic server
- version/oracle weblogic server/10.3.6.0.0
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/9.0
- version/debian debian linux/10.0
- version/debian debian linux/11.0
- vendor/qos
- canonical/qos reload4j
- vendor/ibm
- canonical/ibm qradar siem
- version/ibm qradar siem/7.5 - 7.5.0 up7