CVE-2020-9488
Man-in-the-Middle (MITM) vulnerability in log4j (Maven)

Man-in-the-Middle (MITM) Proof of concept

What is CVE-2020-9488 About?

This vulnerability affects Apache Log4j's SMTP appender prior to version 2.13.2, stemming from improper validation of certificates with host mismatch during SMTPS connections. An attacker can perform a Man-in-the-Middle attack to intercept log messages. Exploitation is moderately complex, requiring network interception capabilities.

Affected Software

  • org.apache.logging.log4j:log4j
    • <2.3.2
    • >2.13.0, <2.13.2
    • >2.4.0, <2.12.3
  • org.apache.logging.log4j:log4j-core
    • <2.3.2
    • >2.13.0, <2.13.2
    • >2.4.0, <2.12.3

Technical Details

The vulnerability exists in Apache Log4j's SMTP appender in versions prior to 2.13.2. When configured to send logs via SMTPS (SMTP over SSL/TLS), the appender fails to properly validate the hostname against the Common Name (CN) or Subject Alternative Name (SAN) fields in the presented SSL/TLS certificate. This 'host mismatch' allows an attacker to present a valid certificate for a different domain, or a self-signed certificate, and intercept the SMTPS connection. A Man-in-the-Middle (MITM) attacker can position themselves between the Log4j application and the legitimate SMTP server, proxying the connection and silently decrypting, reading, and potentially altering log messages that are transmitted through the appender, compromising the confidentiality and integrity of sensitive log data.

What is the Impact of CVE-2020-9488?

Successful exploitation may allow attackers to intercept and read sensitive log messages, leading to information disclosure, and potentially manipulate log data, which could affect incident response, auditing, and forensic investigations.

What is the Exploitability of CVE-2020-9488?

Exploitation of this vulnerability requires an attacker to be in a Man-in-the-Middle (MITM) position relative to the Log4j application and its configured SMTPS server. The complexity is moderate, as it involves setting up a rogue TLS server and potentially manipulating network traffic (e.g., DNS poisoning, ARP spoofing) to redirect the SMTPS connection. No specific authentication to the Log4j application itself is required; the attack occurs at the network level. Local network access or control over DNS is typically a prerequisite. This is primarily a remote network-based attack. The risk factor is increased in environments where network traffic is not strictly monitored and where Log4j is configured to send sensitive information via SMTPS without robust certificate trust mechanisms.

What are the Known Public Exploits?

PoC Author Link Commentary
arsalanraja987 Link Demo of CVE-2020-9488: Unsafe logging with Log4j and remediation

What are the Available Fixes for CVE-2020-9488?

Available Upgrade Options

  • org.apache.logging.log4j:log4j
    • <2.3.2 → Upgrade to 2.3.2
  • org.apache.logging.log4j:log4j
    • >2.4.0, <2.12.3 → Upgrade to 2.12.3
  • org.apache.logging.log4j:log4j
    • >2.13.0, <2.13.2 → Upgrade to 2.13.2
  • org.apache.logging.log4j:log4j-core
    • <2.3.2 → Upgrade to 2.3.2
  • org.apache.logging.log4j:log4j-core
    • >2.4.0, <2.12.3 → Upgrade to 2.12.3
  • org.apache.logging.log4j:log4j-core
    • >2.13.0, <2.13.2 → Upgrade to 2.13.2

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2020-9488?

Similar Vulnerabilities: CVE-2021-38183 , CVE-2015-1836 , CVE-2016-1000341 , CVE-2016-1000342 , CVE-2019-17571

All Rights reserved 2025
Privacy Policy