6.3

CVSS Score

4.0

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-68161

CVE-2025-68161: Apache Log4j Core: Missing TLS hostname verification in Socket appender

The Socket Appender in Apache Log4j Core versions 2.0-beta9 through 2.25.2 does not perform TLS hostname verification of the peer certificate, even when the verifyHostName https://logging.apache.org/log4j/2.x/manual/appenders/network.html#SslConfiguration-attr-verifyHostName configuration attribute or the log4j2.sslVerifyHostName https://logging.apache.org/log4j/2.x/manual/systemproperties.html#log4j2.sslVerifyHostName system property is set to true.

This issue may allow a man-in-the-middle attacker to intercept or redirect log traffic under the following conditions:

The attacker is able to intercept or redirect network traffic between the client and the log receiver.
The attacker can present a server certificate issued by a certification authority trusted by the Socket Appender’s configured trust store (or by the default Java trust store if no custom trust store is configured).

Users are advised to upgrade to Apache Log4j Core version 2.25.3, which addresses this issue.

As an alternative mitigation, the Socket Appender may be configured to use a private or restricted trust root to limit the set of trusted certificates.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-68161

CVE-2025-68161:

6.3

CVSS Score

4.0

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.apache.logging.log4j:log4j-core	maven	>= 2.0-beta9, < 2.25.3	2.25.3

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability lies in the SslSocketManager class, which is used by the Socket Appender for SSL/TLS connections. The analysis of the provided patch commit 3b93748497e1adbbd027fda8a5e7268ec5d0d578 reveals that the createSocket method within SslSocketManager.java was modified to enforce hostname verification. Previously, the method would establish an SSL connection without verifying that the hostname on the server's certificate matched the configured hostname, creating a man-in-the-middle (MITM) vulnerability. The patch rectifies this by adding logic to enable endpoint identification on the SSLParameters of the socket, using the HTTPS algorithm, and setting the SNIHostName before the TLS handshake. The vulnerable function is org.apache.logging.log4j.core.net.SslSocketManager.createSocket, as it was the function responsible for creating the insecure socket.

Vulnerable functions

org.apache.logging.log4j.core.net.SslSocketManager.createSocket

log4j-core/src/main/java/org/apache/logging/log4j/core/net/SslSocketManager.java

The `createSocket(InetSocketAddress)` method in `SslSocketManager` was responsible for creating and connecting the SSL socket. The original implementation created an `SSLSocket` and connected it to the remote address but did not perform hostname verification, even when configured to do so. This allowed a man-in-the-middle attacker to present a valid certificate for a different hostname and intercept the connection. The patch replaces the vulnerable implementation with a call to a new, private `createSocket` method that correctly performs hostname verification.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

6.3

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-68161: Apache Log4j Core: Missing TLS hostname verification in Socket appender

CVE-2025-68161:

6.3

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Basic Information

Basic Information

6.3

6.3

CVE-2025-68161: Apache Log4j Core: Missing TLS hostname verification in Socket appender

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI