oss-sec mailing list archives

CVE-2026-34477: Apache Log4j Core: verifyHostName attribute silently ignored in TLS configuration, allowing hostname verification bypass

From: Piotr Karwasz <pkarwasz () apache org>
Date: Fri, 10 Apr 2026 13:40:17 +0000

Severity: moderate 

Affected versions:

- Apache Log4j Core (org.apache.logging.log4j:log4j-core) 2.12.0 before 2.25.4
- Apache Log4j Core (org.apache.logging.log4j:log4j-core) 3.0.0-alpha1 through 3.0.0-beta3

Description:

The fix for  CVE-2025-68161 https://logging.apache.org/security.html#CVE-2025-68161  was incomplete: it addressed 
hostname verification only when enabled via the  log4j2.sslVerifyHostName 
https://logging.apache.org/log4j/2.x/manual/systemproperties.html#log4j2.sslVerifyHostName  system property, but not 
when configured through the  verifyHostName 
https://logging.apache.org/log4j/2.x/manual/appenders/network.html#SslConfiguration-attr-verifyHostName  attribute of 
the <Ssl> element.

Although the verifyHostName configuration attribute was introduced in Log4j Core 2.12.0, it was silently ignored in all 
versions through 2.25.3, leaving TLS connections vulnerable to interception regardless of the configured value.

A network-based attacker may be able to perform a man-in-the-middle attack when all of the following conditions are met:

  *  An SMTP, Socket, or Syslog appender is in use.
  *  TLS is configured via a nested <Ssl> element.
  *  The attacker can present a certificate issued by a CA trusted by the appender's configured trust store, or by the 
default Java trust store if none is configured.
This issue does not affect users of the HTTP appender, which uses a separate  verifyHostname 
https://logging.apache.org/log4j/2.x/manual/appenders/network.html#HttpAppender-attr-verifyHostName  attribute that was 
not subject to this bug and verifies host names by default.

Users are advised to upgrade to Apache Log4j Core 2.25.4, which corrects this issue.

Credit:

Samuli Leinonen (original reporter) (finder)
Naresh Kandula (independently) (finder)
Vitaly Simonovich (independently) (finder)
Raijuna (independently) (finder)
Danish Siddiqui (djvirus, independently) (finder)
Markus Magnuson (independently) (finder)
Haruki Oyama (Waseda University, independently) (finder)

References:

https://github.com/apache/logging-log4j2/pull/4075
https://logging.apache.org/security.html#CVE-2026-34477
https://logging.apache.org/cyclonedx/vdr.xml
https://logging.apache.org/log4j/2.x/manual/appenders/network.html#SslConfiguration-attr-verifyHostName
https://logging.apache.org/
https://www.cve.org/CVERecord?id=CVE-2026-34477

Timeline:

2025-12-20: Vulnerability reported by Samuli Leinonen
2025-12-30: Candidate patch shared internally by Piotr P. Karwasz
2026-02-25: Independent report received from Naresh Kandula
2026-03-01: Independent report received from Vitaly Simonovich
2026-03-02: Independent report received from Raijuna
2026-03-08: Independent report received from Danish Siddiqui
2026-03-19: Independent report received from Markus Magnuson
2026-03-21: Independent report received from Haruki Oyama
2026-03-24: Fix shared publicly by Piotr P. Karwasz as pull request #4075
2026-03-28: Log4j 2.25.4 released

Current thread:

CVE-2026-34477: Apache Log4j Core: verifyHostName attribute silently ignored in TLS configuration, allowing hostname verification bypass Piotr Karwasz (Apr 10)