VIR Vulnerability Intelligence Relay

CVE-2020-9488

low
Published 2020-06-05 ยท Modified 2026-05-29
๐Ÿ’ฌ Discuss on Community โœš Propose mitigation
CVSS v3
3.7
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
CVSS v4 NEW
โ€”
not yet in upstream
VIR risk
3.7

Description

Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender. Fixed in Apache Log4j 2.12.3 and 2.13.1

Predictions

Exploit likelihood
47%
Patch ETA
โ€”

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ€” if you've already worked around this in production โ€” publish your fix to the community-verified tier.

โœš Propose a mitigation on Community โ†’ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

OS impact
suse SUSE Affected 1 release
VersionStatusFixed in
โ€” Affected โ€”
debian Debian Mixed 8 releases
VersionStatusFixed in
trixie Fixed 2.13.3-1
sid Fixed 2.13.3-1
forky Fixed 2.13.3-1
bullseye Fixed 2.13.3-1
bookworm Fixed 2.13.3-1
11.0 Affected โ€”
10.0 Affected โ€”
9.0 Affected โ€”

Package impact
EcosystemPackageVulnerableFixed
java Mavenorg.apache.logging.log4j:log4j>=2.13.0,<2.13.22.13.2
java Mavenorg.apache.logging.log4j:log4j-core>=2.13.0,<2.13.22.13.2
java Mavenorg.apache.logging.log4j:log4j>=2.4.0,<2.12.32.12.3
java Mavenorg.apache.logging.log4j:log4j<2.3.22.3.2
java Mavenorg.apache.logging.log4j:log4j-core>=2.4.0,<2.12.32.12.3
java Mavenorg.apache.logging.log4j:log4j-core<2.3.22.3.2

Application impact
VendorProductVersionsFixed
oracle oracleretail_assortment_planning16.0.3.0
apache apachelog4j{"startIncluding":"2.0","endExcluding":"2.3.2"}2.3.2
apache apachelog4j{"startIncluding":"2.4","endExcluding":"2.12.3"}2.12.3
apache apachelog4j{"startIncluding":"2.13.0","endExcluding":"2.13.2"}2.13.2
oracle oraclecommunications_application_session_controller3.9m0p1
oracle oraclecommunications_billing_and_revenue_management7.5.0.23.0
oracle oraclecommunications_billing_and_revenue_management12.0.0.3.0
oracle oraclecommunications_eagle_ftp_table_base_retrieval4.5
oracle oraclecommunications_offline_mediation_controller12.0.0.3.0
oracle oraclecommunications_services_gatekeeper7.0
oracle oraclecommunications_unified_inventory_management7.3.0
oracle oraclecommunications_unified_inventory_management7.4.0
oracle oracledata_integrator12.2.1.3.0
oracle oracledata_integrator12.2.1.4.0
oracle oracleenterprise_manager_for_peoplesoft13.4.1.1
oracle oraclefinancial_services_analytical_applications_infrastructure{"startIncluding":"8.0.6.0.0","endIncluding":"8.1.0.0.0"}
oracle oraclefinancial_services_institutional_performance_analytics8.0.6
oracle oraclefinancial_services_institutional_performance_analytics8.1.0
oracle oraclefinancial_services_institutional_performance_analytics8.7.0
oracle oraclefinancial_services_market_risk_measurement_and_management8.0.6
oracle oraclefinancial_services_market_risk_measurement_and_management8.0.8
oracle oraclefinancial_services_market_risk_measurement_and_management8.1.0
oracle oraclefinancial_services_price_creation_and_discovery8.0.6
oracle oraclefinancial_services_price_creation_and_discovery8.0.7
oracle oraclefinancial_services_retail_customer_analytics8.0.6
oracle oracleflexcube_core_banking{"startIncluding":"11.5.0","endIncluding":"11.7.0"}
oracle oracleflexcube_core_banking5.2.0
oracle oracleflexcube_private_banking12.0.0
oracle oracleflexcube_private_banking12.1.0
oracle oraclehealth_sciences_information_manager3.0.1
oracle oracleinsurance_insbridge_rating_and_underwriting{"startIncluding":"5.0.0.0","endIncluding":"5.6.0.0"}
oracle oracleinsurance_insbridge_rating_and_underwriting5.6.1.0
oracle oracleinsurance_policy_administration_j2ee10.2.0.37
oracle oracleinsurance_policy_administration_j2ee10.2.4.12
oracle oracleinsurance_policy_administration_j2ee11.0.2.25
oracle oracleinsurance_policy_administration_j2ee11.1.0.15
oracle oracleinsurance_policy_administration_j2ee11.2.0.26
oracle oracleinsurance_rules_palette10.2.0.37
oracle oracleinsurance_rules_palette10.2.4.12
oracle oracleinsurance_rules_palette11.0.2.25
oracle oracleinsurance_rules_palette11.1.0.15
oracle oracleinsurance_rules_palette11.2.0.26
oracle oraclejd_edwards_world_securitya9.4
oracle oracleoracle_goldengate_application_adapters19.1.0.0.0
oracle oraclepeoplesoft_enterprise_peopletools8.56
oracle oraclepeoplesoft_enterprise_peopletools8.57
oracle oraclepeoplesoft_enterprise_peopletools8.58
oracle oraclepolicy_automation{"startIncluding":"12.2.0","endIncluding":"12.2.20"}
oracle oraclepolicy_automation_connector_for_siebel10.4.6
oracle oraclepolicy_automation_for_mobile_devices{"startIncluding":"12.2.0","endIncluding":"12.2.20"}
oracle oracleprimavera_unifier18.8
oracle oracleprimavera_unifier19.12
oracle oracleretail_advanced_inventory_planning14.1
oracle oracleretail_assortment_planning15.0.3.0
oracle oracleretail_bulk_data_integration15.0.3.0
oracle oracleretail_bulk_data_integration16.0.3.0
oracle oracleretail_customer_management_and_segmentation_foundation16.0
oracle oracleretail_customer_management_and_segmentation_foundation17.0
oracle oracleretail_customer_management_and_segmentation_foundation18.0
oracle oracleretail_customer_management_and_segmentation_foundation19.0
oracle oracleretail_eftlink15.0.2
oracle oracleretail_eftlink16.0.3
oracle oracleretail_eftlink17.0.2
oracle oracleretail_eftlink18.0.1
oracle oracleretail_eftlink19.0.1
oracle oracleretail_insights_cloud_service_suite19.0
oracle oracleretail_integration_bus14.1
oracle oracleretail_integration_bus15.0
oracle oracleretail_integration_bus16.0
oracle oracleretail_order_broker_cloud_service16.0
oracle oracleretail_order_broker_cloud_service18.0
oracle oracleretail_order_broker_cloud_service19.0
oracle oracleretail_order_broker_cloud_service19.1
oracle oracleretail_order_broker_cloud_service19.2
oracle oracleretail_order_broker_cloud_service19.3
oracle oracleretail_predictive_application_server14.1.3.0
oracle oracleretail_predictive_application_server15.0.3.0
oracle oracleretail_predictive_application_server16.0.3.0
oracle oracleretail_xstore_point_of_service15.0.4
oracle oracleretail_xstore_point_of_service16.0.6
oracle oracleretail_xstore_point_of_service17.0.4
oracle oracleretail_xstore_point_of_service18.0.3
oracle oracleretail_xstore_point_of_service19.0.2
oracle oraclesiebel_apps_-_marketing{"endIncluding":"21.9"}
oracle oraclesiebel_ui_framework{"endIncluding":"21.2"}
oracle oraclespatial_and_graph12.2.0.1
oracle oraclespatial_and_graph18c
oracle oraclespatial_and_graph19c
oracle oraclestoragetek_acsls8.5.1
oracle oraclestoragetek_tape_analytics_sw_tool2.3.1
oracle oracleutilities_framework{"startIncluding":"4.3.0.1.0","endIncluding":"4.3.0.6.0"}
oracle oracleutilities_framework2.2.0.0.0
oracle oracleutilities_framework4.2.0.2.0
oracle oracleutilities_framework4.2.0.3.0
oracle oracleutilities_framework4.4.0.0.0
oracle oracleutilities_framework4.4.0.2.0
oracle oracleweblogic_server10.3.6.0.0
qosreload4j{"endExcluding":"1.2.18.3"}1.2.18.3

References

CWEs

CWE-295

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.