Severity
High
Analysis Summary
Apache Logging Services has disclosed a critical vulnerability in Log4j Core, tracked as CVE-2025-68161, affecting versions 2.0-beta9 through 2.25.2. The flaw resides in the Socket Appender component, which fails to properly verify the TLS hostname of peer certificates, even when verification is explicitly enabled. This oversight opens a man-in-the-middle (MITM) attack vector, allowing attackers who can intercept traffic between clients and log receivers to potentially access or redirect sensitive logging data.
The vulnerability requires specific conditions to be exploited. Attackers must intercept network traffic while presenting a server certificate issued by a trusted certification authority. If the Socket Appender trusts that certificate through its configured trust store, the attack can succeed, exposing mission-critical logs that may include user activities, system events, and application behavior. The Apache Logging Services Security Team has rated this flaw as Medium severity, assigning a CVSS 6.3, reflecting both the attack complexity and the prerequisites needed for exploitation.
To mitigate this vulnerability, Apache has released Log4j Core version 2.25.3, which fully addresses the TLS hostname verification issue. Organizations using affected versions are strongly advised to upgrade immediately to protect their logging infrastructure. For systems unable to upgrade promptly, administrators should restrict trust store contents, following NIST SP 800-52 Rev. 2 guidelines, to include only the necessary certificates required for specific communication scopes, such as private or enterprise CAs.
This disclosure highlights the importance of securing logging frameworks, which inherently handle sensitive organizational data. Unauthorized access to log streams can compromise operational security and provide attackers with insights into internal systems. Organizations should audit Log4j dependencies, verify versions, and apply the recommended updates to ensure the integrity, confidentiality, and availability of their logging systems, while Apache continues to monitor and address security threats across its widely deployed logging solutions.
Impact
- Gain Access
Indicators of Compromise
CVE
CVE-2025-68161
Affected Vendors
Remediation
- Upgrade Apache Log4j Core immediately to version 2.25.3 or later, which fully fixes the TLS hostname verification issue
- Identify and inventory all applications using Log4j versions 2.0?beta9 through 2.25.2 and prioritize remediation
- Restrict or temporarily disable use of the Socket Appender where it is not strictly required
- Limit network exposure by ensuring log traffic is transmitted only over trusted internal networks
- Harden TLS configurations by reducing trust stores to only required CA certificates, following NIST SP 800?52 Rev. 2 guidance
- Avoid using broad public CA trust stores when communicating with internal or private log receivers
- Monitor network traffic and logs for signs of man?in?the?middle activity or unexpected redirection
- Implement network segmentation and firewall rules to prevent unauthorized interception of logging traffic
- Validate server certificates and logging endpoints as part of regular security audits
- Maintain continuous monitoring of Apache security advisories and apply future patches promptly