CVE-2020-9488 - Vulnerability Details

Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender. Fixed in Apache Log4j 2.12.3 and 2.13.1

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Apache	Log4j
Debian	Debian Linux
Oracle	Communications Application Session Controller Communications Billing And Revenue Management Communications Eagle Ftp Table Base Retrieval Communications Offline Mediation Controller Communications Services Gatekeeper Communications Unified Inventory Management Data Integrator Enterprise Manager For Peoplesoft Financial Services Analytical Applications Infrastructure Financial Services Institutional Performance Analytics Financial Services Market Risk Measurement And Management Financial Services Price Creation And Discovery Financial Services Retail Customer Analytics Flexcube Core Banking Flexcube Private Banking Health Sciences Information Manager Insurance Insbridge Rating And Underwriting Insurance Policy Administration J2ee Insurance Rules Palette Jd Edwards World Security Oracle Goldengate Application Adapters Peoplesoft Enterprise Peopletools Policy Automation Policy Automation Connector For Siebel Policy Automation For Mobile Devices Primavera Unifier Retail Advanced Inventory Planning Retail Assortment Planning Retail Bulk Data Integration Retail Customer Management And Segmentation Foundation Retail Eftlink Retail Insights Cloud Service Suite Retail Integration Bus Retail Order Broker Cloud Service Retail Predictive Application Server Retail Xstore Point Of Service Siebel Apps - Marketing Siebel Ui Framework Spatial And Graph Storagetek Acsls Storagetek Tape Analytics Sw Tool Utilities Framework Weblogic Server
Qos	Reload4j
Redhat	A Mq Clients Jboss Data Grid Jboss Data Virtualization Jboss Enterprise Bpms Platform Jboss Enterprise Brms Platform Jboss Fuse Openshift Application Runtimes

Configuration 1 [-]

OR	cpe:2.3:a:apache:log4j::::::::
	cpe:2.3:a:apache:log4j::::::::
	cpe:2.3:a:apache:log4j::::::::

Configuration 2 [-]

OR	cpe:2.3:a:oracle:communications_application_session_controller:3.9m0p1:::::::*
	cpe:2.3:a:oracle:communications_billing_and_revenue_management:7.5.0.23.0:::::::*
	cpe:2.3:a:oracle:communications_billing_and_revenue_management:12.0.0.3.0:::::::*
	cpe:2.3:a:oracle:communications_eagle_ftp_table_base_retrieval:4.5:::::::*
	cpe:2.3:a:oracle:communications_offline_mediation_controller:12.0.0.3.0:::::::*
	cpe:2.3:a:oracle:communications_services_gatekeeper:7.0:::::::*
	cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.0:::::::*
	cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.0:::::::*
	cpe:2.3:a:oracle:data_integrator:12.2.1.3.0:::::::*
	cpe:2.3:a:oracle:data_integrator:12.2.1.4.0:::::::*
	cpe:2.3:a:oracle:enterprise_manager_for_peoplesoft:13.4.1.1:::::::*
	cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure::::::::
	cpe:2.3:a:oracle:financial_services_institutional_performance_analytics:8.0.6:::::::*
	cpe:2.3:a:oracle:financial_services_institutional_performance_analytics:8.1.0:::::::*
	cpe:2.3:a:oracle:financial_services_institutional_performance_analytics:8.7.0:::::::*
	cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.6:::::::*
	cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.8:::::::*
	cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.1.0:::::::*
	cpe:2.3:a:oracle:financial_services_price_creation_and_discovery:8.0.6:::::::*
	cpe:2.3:a:oracle:financial_services_price_creation_and_discovery:8.0.7:::::::*
	cpe:2.3:a:oracle:financial_services_retail_customer_analytics:8.0.6:::::::*
	cpe:2.3:a:oracle:flexcube_core_banking::::::::
	cpe:2.3:a:oracle:flexcube_core_banking:5.2.0:::::::*
	cpe:2.3:a:oracle:flexcube_private_banking:12.0.0:::::::*
	cpe:2.3:a:oracle:flexcube_private_banking:12.1.0:::::::*
	cpe:2.3:a:oracle:health_sciences_information_manager:3.0.1:::::::*
	cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting::::::::
	cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:5.6.1.0:::::::*
	cpe:2.3:a:oracle:insurance_policy_administration_j2ee:10.2.0.37:::::::*
	cpe:2.3:a:oracle:insurance_policy_administration_j2ee:10.2.4.12:::::::*
	cpe:2.3:a:oracle:insurance_policy_administration_j2ee:11.0.2.25:::::::*
	cpe:2.3:a:oracle:insurance_policy_administration_j2ee:11.1.0.15:::::::*
	cpe:2.3:a:oracle:insurance_policy_administration_j2ee:11.2.0.26:::::::*
	cpe:2.3:a:oracle:insurance_rules_palette:10.2.0.37:::::::*
	cpe:2.3:a:oracle:insurance_rules_palette:10.2.4.12:::::::*
	cpe:2.3:a:oracle:insurance_rules_palette:11.0.2.25:::::::*
	cpe:2.3:a:oracle:insurance_rules_palette:11.1.0.15:::::::*
	cpe:2.3:a:oracle:insurance_rules_palette:11.2.0.26:::::::*
	cpe:2.3:a:oracle:jd_edwards_world_security:a9.4:::::::*
	cpe:2.3:a:oracle:oracle_goldengate_application_adapters:19.1.0.0.0:::::::*
	cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.56:::::::*
	cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.57:::::::*
	cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:::::::*
	cpe:2.3:a:oracle:policy_automation::::::::
	cpe:2.3:a:oracle:policy_automation_connector_for_siebel:10.4.6:::::::*
	cpe:2.3:a:oracle:policy_automation_for_mobile_devices::::::::
	cpe:2.3:a:oracle:primavera_unifier:18.8:::::::*
	cpe:2.3:a:oracle:primavera_unifier:19.12:::::::*
	cpe:2.3:a:oracle:retail_advanced_inventory_planning:14.1:::::::*
	cpe:2.3:a:oracle:retail_assortment_planning:15.0.3.0:::::::*
	cpe:2.3:a:oracle:retail_assortment_planning:16.0.3.0:::::::*
	cpe:2.3:a:oracle:retail_bulk_data_integration:15.0.3.0:::::::*
	cpe:2.3:a:oracle:retail_bulk_data_integration:16.0.3.0:::::::*
	cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:16.0:::::::*
	cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:17.0:::::::*
	cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:18.0:::::::*
	cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:19.0:::::::*
	cpe:2.3:a:oracle:retail_eftlink:15.0.2:::::::*
	cpe:2.3:a:oracle:retail_eftlink:16.0.3:::::::*
	cpe:2.3:a:oracle:retail_eftlink:17.0.2:::::::*
	cpe:2.3:a:oracle:retail_eftlink:18.0.1:::::::*
	cpe:2.3:a:oracle:retail_eftlink:19.0.1:::::::*
	cpe:2.3:a:oracle:retail_insights_cloud_service_suite:19.0:::::::*
	cpe:2.3:a:oracle:retail_integration_bus:14.1:::::::*
cpe:2.3:a:oracle:retail_integration_bus:15.0:::::::*
cpe:2.3:a:oracle:retail_integration_bus:16.0:::::::*
cpe:2.3:a:oracle:retail_order_broker_cloud_service:16.0:::::::*
cpe:2.3:a:oracle:retail_order_broker_cloud_service:18.0:::::::*
cpe:2.3:a:oracle:retail_order_broker_cloud_service:19.0:::::::*
cpe:2.3:a:oracle:retail_order_broker_cloud_service:19.1:::::::*
cpe:2.3:a:oracle:retail_order_broker_cloud_service:19.2:::::::*
cpe:2.3:a:oracle:retail_order_broker_cloud_service:19.3:::::::*
cpe:2.3:a:oracle:retail_predictive_application_server:14.1.3.0:::::::*
cpe:2.3:a:oracle:retail_predictive_application_server:15.0.3.0:::::::*
cpe:2.3:a:oracle:retail_predictive_application_server:16.0.3.0:::::::*
cpe:2.3:a:oracle:retail_xstore_point_of_service:15.0.4:::::::*
cpe:2.3:a:oracle:retail_xstore_point_of_service:16.0.6:::::::*
cpe:2.3:a:oracle:retail_xstore_point_of_service:17.0.4:::::::*
cpe:2.3:a:oracle:retail_xstore_point_of_service:18.0.3:::::::*
cpe:2.3:a:oracle:retail_xstore_point_of_service:19.0.2:::::::*
cpe:2.3:a:oracle:siebel_apps_-_marketing::::::::
cpe:2.3:a:oracle:siebel_ui_framework::::::::
cpe:2.3:a:oracle:spatial_and_graph:12.2.0.1:::::::*
cpe:2.3:a:oracle:spatial_and_graph:18c:::::::*
cpe:2.3:a:oracle:spatial_and_graph:19c:::::::*
cpe:2.3:a:oracle:storagetek_acsls:8.5.1:::::::*
cpe:2.3:a:oracle:storagetek_tape_analytics_sw_tool:2.3.1:::::::*
cpe:2.3:a:oracle:utilities_framework::::::::
cpe:2.3:a:oracle:utilities_framework:2.2.0.0.0:::::::*
cpe:2.3:a:oracle:utilities_framework:4.2.0.2.0:::::::*
cpe:2.3:a:oracle:utilities_framework:4.2.0.3.0:::::::*
cpe:2.3:a:oracle:utilities_framework:4.4.0.0.0:::::::*
cpe:2.3:a:oracle:utilities_framework:4.4.0.2.0:::::::*
cpe:2.3:a:oracle:weblogic_server:10.3.6.0.0:::::::*

Configuration 3 [-]

OR	cpe:2.3:o:debian:debian_linux:9.0:::::::*
	cpe:2.3:o:debian:debian_linux:10.0:::::::*
	cpe:2.3:o:debian:debian_linux:11.0:::::::*

Configuration 4 [-]

cpe:2.3:a:qos:reload4j:*:*:*:*:*:*:*:*

Package	CPE	Advisory	Released Date
AMQ Clients 2.y for RHEL 6
qpid-cpp-0:1.36.0-31.el6_10amq	cpe:/a:redhat:a_mq_clients:2::el6	RHSA-2020:3817	2020-09-23T00:00:00Z
qpid-proton-0:0.32.0-1.el6_10	cpe:/a:redhat:a_mq_clients:2::el6	RHSA-2020:3817	2020-09-23T00:00:00Z
AMQ Clients 2.y for RHEL 7
qpid-cpp-0:1.36.0-31.el7amq	cpe:/a:redhat:a_mq_clients:2::el7	RHSA-2020:3817	2020-09-23T00:00:00Z
qpid-proton-0:0.32.0-2.el7	cpe:/a:redhat:a_mq_clients:2::el7	RHSA-2020:3817	2020-09-23T00:00:00Z
AMQ Clients 2.y for RHEL 8
nodejs-rhea-0:1.0.24-1.el8	cpe:/a:redhat:a_mq_clients:2::el8	RHSA-2020:3817	2020-09-23T00:00:00Z
qpid-proton-0:0.32.0-2.el8	cpe:/a:redhat:a_mq_clients:2::el8	RHSA-2020:3817	2020-09-23T00:00:00Z
Red Hat Data Grid
log4j-core	cpe:/a:redhat:jboss_data_grid:8	RHSA-2020:3626	2020-09-03T00:00:00Z
Red Hat Data Grid 7.3.7
log4j	cpe:/a:redhat:jboss_data_grid:7.3	RHSA-2020:3779	2020-09-17T00:00:00Z
Red Hat Fuse 7.10
log4j-core	cpe:/a:redhat:jboss_fuse:7	RHSA-2021:5134	2021-12-14T00:00:00Z
Red Hat Fuse 7.8.0
log4j	cpe:/a:redhat:jboss_fuse:7	RHSA-2020:5568	2020-12-16T00:00:00Z
Red Hat JBoss Data Virtualization 6.4.8.SP1
	cpe:/a:redhat:jboss_data_virtualization:6.4	RHSA-2022:0497	2022-02-09T00:00:00Z
Red Hat JBoss Data Virtualization 6.4.8.SP2
	cpe:/a:redhat:jboss_data_virtualization:6.4	RHSA-2022:0507	2022-02-10T00:00:00Z
RHDM 7.10.0
log4j-core	cpe:/a:redhat:jboss_enterprise_brms_platform:7.10	RHSA-2021:0603	2021-02-17T00:00:00Z
RHPAM 7.10.1
log4j-core	cpe:/a:redhat:jboss_enterprise_bpms_platform:7.10	RHSA-2021:1044	2021-03-30T00:00:00Z
Text-Only RHOAR
log4j	cpe:/a:redhat:openshift_application_runtimes:1.0	RHSA-2020:2391	2020-06-17T00:00:00Z
log4j-core	cpe:/a:redhat:openshift_application_runtimes:1.0	RHSA-2020:2391	2020-06-17T00:00:00Z

References

Link	Providers
https://issues.apache.org/jira/browse/LOG4J2-2819
https://lists.apache.org/thread.html/r0a2699f724156a558afd1abb6c044fb9132caa66dce861b82699722a%40%3Cjira.kafka.apache.org%3E
https://lists.apache.org/thread.html/r0df3d7a5acb98c57e64ab9266aa21eeee1d9b399addb96f9cf1cbe05%40%3Cdev.zookeeper.apache.org%3E
https://lists.apache.org/thread.html/r1fc73f0e16ec2fa249d3ad39a5194afb9cc5afb4c023dc0bab5a5881%40%3Cissues.hive.apache.org%3E
https://lists.apache.org/thread.html/r22a56beb76dd8cf18e24fda9072f1e05990f49d6439662d3782a392f%40%3Cissues.hive.apache.org%3E
https://lists.apache.org/thread.html/r2721aba31a8562639c4b937150897e24f78f747cdbda8641c0f659fe%40%3Cusers.kafka.apache.org%3E
https://lists.apache.org/thread.html/r2f209d271349bafd91537a558a279c08ebcff8fa3e547357d58833e6%40%3Cdev.zookeeper.apache.org%3E
https://lists.apache.org/thread.html/r33864a0fc171c1c4bf680645ebb6d4f8057899ab294a43e1e4fe9d04%40%3Cissues.hive.apache.org%3E
https://lists.apache.org/thread.html/r393943de452406f0f6f4b3def9f8d3c071f96323c1f6ed1a098f7fe4%40%3Ctorque-dev.db.apache.org%3E
https://lists.apache.org/thread.html/r3d1d00441c55144a4013adda74b051ae7864128ebcfb6ee9721a2eb3%40%3Cissues.hive.apache.org%3E
https://lists.apache.org/thread.html/r4285398e5585a0456d3d9db021a4fce6e6fcf3ec027dfa13a450ec98%40%3Cissues.zookeeper.apache.org%3E
https://lists.apache.org/thread.html/r45916179811a32cbaa500f972de9098e6ee80ee81c7f134fce83e03a%40%3Cissues.flink.apache.org%3E
https://lists.apache.org/thread.html/r48bcd06049c1779ef709564544c3d8a32ae6ee5c3b7281a606ac4463%40%3Cjira.kafka.apache.org%3E
https://lists.apache.org/thread.html/r48efc7cb5aeb4e1f67aaa06fb4b5479a5635d12f07d0b93fc2d08809%40%3Ccommits.zookeeper.apache.org%3E
https://lists.apache.org/thread.html/r4d5dc9f3520071338d9ebc26f9f158a43ae28a91923d176b550a807b%40%3Cdev.hive.apache.org%3E
https://lists.apache.org/thread.html/r4db540cafc5d7232c62e076051ef661d37d345015b2e59b3f81a932f%40%3Cdev.hive.apache.org%3E
https://lists.apache.org/thread.html/r4ed1f49616a8603832d378cb9d13e7a8b9b27972bb46d946ccd8491f%40%3Cissues.hive.apache.org%3E
https://lists.apache.org/thread.html/r5a68258e5ab12532dc179edae3d6e87037fa3b50ab9d63a90c432507%40%3Cissues.hive.apache.org%3E
https://lists.apache.org/thread.html/r65578f3761a89bc164e8964acd5d913b9f8fd997967b195a89a97ca3%40%3Cissues.hive.apache.org%3E
https://lists.apache.org/thread.html/r7641ee788e1eb1be4bb206a7d15f8a64ec6ef23e5ec6132d5a567695%40%3Cnotifications.zookeeper.apache.org%3E
https://lists.apache.org/thread.html/r7e5c10534ed06bf805473ac85e8412fe3908a8fa4cabf5027bf11220%40%3Cdev.kafka.apache.org%3E
https://lists.apache.org/thread.html/r7e739f2961753af95e2a3a637828fb88bfca68e5d6b0221d483a9ee5%40%3Cnotifications.zookeeper.apache.org%3E
https://lists.apache.org/thread.html/r8c001b9a95c0bbec06f4457721edd94935a55932e64b82cc5582b846%40%3Cissues.zookeeper.apache.org%3E
https://lists.apache.org/thread.html/r8e96c340004b7898cad3204ea51280ef6e4b553a684e1452bf1b18b1%40%3Cjira.kafka.apache.org%3E
https://lists.apache.org/thread.html/r9776e71e3c67c5d13a91c1eba0dc025b48b802eb7561cc6956d6961c%40%3Cissues.hive.apache.org%3E
https://lists.apache.org/thread.html/r9a79175c393d14d760a0ae3731b4a873230a16ef321aa9ca48a810cd%40%3Cissues.zookeeper.apache.org%3E
https://lists.apache.org/thread.html/ra051e07a0eea4943fa104247e69596f094951f51512d42c924e86c75%40%3Cissues.hive.apache.org%3E
https://lists.apache.org/thread.html/ra632b329b2ae2324fabbad5da204c4ec2e171ff60348ec4ba698fd40%40%3Cissues.hive.apache.org%3E
https://lists.apache.org/thread.html/rbc45eb0f53fd6242af3e666c2189464f848a851d408289840cecc6e3%40%3Ccommits.zookeeper.apache.org%3E
https://lists.apache.org/thread.html/rbc7642b9800249553f13457e46b813bea1aec99d2bc9106510e00ff3%40%3Ctorque-dev.db.apache.org%3E
https://lists.apache.org/thread.html/rc2dbc4633a6eea1fcbce6831876cfa17b73759a98c65326d1896cb1a%40%3Ctorque-dev.db.apache.org%3E
https://lists.apache.org/thread.html/rc6b81c013618d1de1b5d6b8c1088aaf87b4bacc10c2371f15a566701%40%3Cnotifications.zookeeper.apache.org%3E
https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26%40%3Ccommits.pulsar.apache.org%3E
https://lists.apache.org/thread.html/rd55f65c6822ff235eda435d31488cfbb9aa7055cdf47481ebee777cc%40%3Cissues.zookeeper.apache.org%3E
https://lists.apache.org/thread.html/rd5d58088812cf8e677d99b07f73c654014c524c94e7fedbdee047604%40%3Ctorque-dev.db.apache.org%3E
https://lists.apache.org/thread.html/rd8e87c4d69df335d0ba7d815b63be8bd8a6352f429765c52eb07ddac%40%3Cissues.zookeeper.apache.org%3E
https://lists.apache.org/thread.html/re024d86dffa72ad800f2848d0c77ed93f0b78ee808350b477a6ed987%40%3Cgitbox.hive.apache.org%3E
https://lists.apache.org/thread.html/rec34b1cccf907898e7cb36051ffac3ccf1ea89d0b261a2a3b3fb267f%40%3Ccommits.zookeeper.apache.org%3E
https://lists.apache.org/thread.html/rf1c2a81a08034c688b8f15cf58a4cfab322d00002ca46d20133bee20%40%3Cdev.kafka.apache.org%3E
https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3E
https://lists.debian.org/debian-lts-announce/2021/12/msg00017.html
https://nvd.nist.gov/vuln/detail/CVE-2020-9488
https://security.netapp.com/advisory/ntap-20200504-0003/
https://www.cve.org/CVERecord?id=CVE-2020-9488
https://www.debian.org/security/2021/dsa-5020
https://www.oracle.com/security-alerts/cpuApr2021.html
https://www.oracle.com/security-alerts/cpuapr2022.html
https://www.oracle.com/security-alerts/cpujan2021.html
https://www.oracle.com/security-alerts/cpujul2020.html
https://www.oracle.com/security-alerts/cpuoct2020.html
https://www.oracle.com/security-alerts/cpuoct2021.html

History

Fri, 29 May 2026 16:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 16 Jul 2025 13:45:00 +0000

Type	Values Removed	Values Added
Metrics	epss `{'score': 0.00013}`	epss `{'score': 0.00016}`

Mon, 14 Jul 2025 13:45:00 +0000

Type	Values Removed	Values Added
Metrics	epss `{'score': 0.00012}`	epss `{'score': 0.00013}`

Sun, 13 Jul 2025 13:45:00 +0000

Type	Values Removed	Values Added
Metrics	epss `{'score': 0.00016}`	epss `{'score': 0.00012}`

MITRE

Status: PUBLISHED

Assigner: apache

Published: 2020-04-27T15:36:10.000Z

Updated: 2026-05-29T16:07:52.931Z

Reserved: 2020-03-01T00:00:00.000Z

Link: CVE-2020-9488

Vulnrichment

Updated: 2024-08-04T10:26:16.370Z

NVD

Status : Modified

Published: 2020-04-27T16:15:12.897

Modified: 2026-05-29T18:16:27.647

Link: CVE-2020-9488

Redhat

Severity : Low

Publid Date: 2020-04-25T00:00:00Z

Links: CVE-2020-9488 - Bugzilla

Metrics

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object