Zero Day MonitorZDM

← Back to list

—

CVE-2026-34477EXPLOITEDPATCHED

apache · log4j

Apache Log4j Core: verifyHostName attribute silently ignored in TLS configuration, allowing hostname verification bypass

Description

The fix for CVE-2025-68161 https://logging.apache.org/security.html#CVE-2025-68161 was incomplete: it addressed hostname verification only when enabled via the log4j2.sslVerifyHostName https://logging.apache.org/log4j/2.x/manual/systemproperties.html#log4j2.sslVerifyHostName system property, but not when configured through the verifyHostName https://logging.apache.org/log4j/2.x/manual/appenders/network.html#SslConfiguration-attr-verifyHostName attribute of the <Ssl> element. Although the verifyHostName configuration attribute was introduced in Log4j Core 2.12.0, it was silently ignored in all versions through 2.25.3, leaving TLS connections vulnerable to interception regardless of the configured value. A network-based attacker may be able to perform a man-in-the-middle attack when all of the following conditions are met: * An SMTP, Socket, or Syslog appender is in use. * TLS is configured via a nested <Ssl> element. * The attacker can present a certificate issued by a CA trusted by the appender's configured trust store, or by the default Java trust store if none is configured. This issue does not affect users of the HTTP appender, which uses a separate verifyHostname https://logging.apache.org/log4j/2.x/manual/appenders/network.html#HttpAppender-attr-verifyHostName attribute that was not subject to this bug and verifies host names by default. Users are advised to upgrade to Apache Log4j Core 2.25.4, which corrects this issue.

Affected Products

Vendor	Product	Versions
apache	log4j	maven/org.apache.logging.log4j:log4j-core: >= 2.12.0, < 2.25.4, maven/org.apache.logging.log4j:log4j-core: >= 3.0.0-alpha1, <= 3.0.0-beta3

Also Affects

Downstream vendors/products affected by this vulnerability

Vendor	Product	Source	Confidence
apache	log4j	cert_advisory	90%
maven	org.apache.logging.log4j:log4j-core	GHSA	85%

References

https://github.com/apache/logging-log4j2/pull/4075(patch)
https://logging.apache.org/security.html#CVE-2026-34477(vendor-advisory)
https://logging.apache.org/cyclonedx/vdr.xml(vendor-advisory)
https://logging.apache.org/log4j/2.x/manual/appenders/network.html#SslConfiguration-attr-verifyHostName(related)
https://lists.apache.org/thread/lkx8cl46t2bvkcwfcb2pd43ygc097lq4(vendor-advisory)

Related News (6 articles)

Tier B

CERT-FR1d ago

Multiples vulnérabilités dans les produits IBM (05 juin 2026)

→ No new info (linked only)

Tier B

CERT-FR16d ago

Multiples vulnérabilités dans les produits Splunk (21 mai 2026)

→ No new info (linked only)

Tier A

Microsoft MSRC36d ago

CVE-2026-34477 Apache Log4j Core: verifyHostName attribute silently ignored in TLS configuration, allowing hostname verification bypass

→ No new info (linked only)

Tier B

BSI Advisories53d ago

[NEU] [mittel] Apache log4j: Mehrere Schwachstellen ermöglichen Manipulation von Dateien

→ No new info (linked only)

Tier C

VulDB56d ago

CVE-2026-34477 | Apache Log4j Core up to 2.25.3/3.0.0-beta3 log4j2.sslVerifyHostName certificate host validation

→ No new info (linked only)

Tier C

oss-security56d ago

CVE-2026-34477: Apache Log4j Core: verifyHostName attribute silently ignored in TLS configuration, allowing hostname verification bypass

→ No new info (linked only)

CISA KEV❌ No

Actively exploited✅ Yes

Patch available

org.apache.logging.log4j:log4j-core@2.25.4

CWECWE-297

PublishedApr 10, 2026

Last enriched56d agov3

Trending Score57

Source articles6

Independent5

Info Completeness8/14

Missing: cvss, epss, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

HIGHCVE-2026-34197EXPKEV

Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ: Authenticated users could perform RCE via Jolokia MBeans

MEDIUMCVE-2026-34479EXP

Apache Log4j 1 to Log4j 2 bridge: Silent log event loss in Log4j1XmlLayout due to unescaped XML 1.0 forbidden characters

MEDIUMCVE-2026-34480EXP

Apache Log4j Core: Silent log event loss in XmlLayout due to unescaped XML 1.0 forbidden characters

CRITICALCVE-2026-50076EXP

Apache Fory: Java ReplaceResolverSerializer deserialization checks bypass

MEDIUMCVE-2026-34478

Apache Log4j Core: Log injection in Rfc5424Layout due to silent configuration incompatibility

Pin to Dashboard

Verification

State: verified

Confidence: 0%

Vulnerability Timeline

CVE Published

Apr 10, 2026

Discovered by ZDM

Apr 10, 2026

Updated: affectedVersions

Apr 10, 2026

Actively Exploited

Apr 10, 2026

Patch Available

Apr 10, 2026

Updated: severity, activelyExploited, affectedVersions

Apr 10, 2026

Version History

v3

Last enriched 56d ago

v3Tier C56d ago

Updated severity to CRITICAL, marked as actively exploited, and added new affected version 3.0.0-beta3.

severityactivelyExploitedaffectedVersions

via VulDB

v2Tier C56d ago

Updated severity from NONE to MODERATE and added new affected version 3.0.0-beta3.

affectedVersions

via oss-security

v156d ago

Initial creation