Attacker Value
Unknown
(0 users assessed)
Exploitability
Unknown
(0 users assessed)
User Interaction
None
Privileges Required
None
Attack Vector
Network
0

CVE-2020-9488

Disclosure Date: April 27, 2020
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender. Fixed in Apache Log4j 2.12.3 and 2.13.1

Add Assessment

No one has assessed this topic. Be the first to add your voice to the community.

CVSS V3 Severity and Metrics
Base Score:
3.7 Low
Impact Score:
1.4
Exploitability Score:
2.2
Vector:
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector (AV):
Network
Attack Complexity (AC):
High
Privileges Required (PR):
None
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
Low
Integrity (I):
None
Availability (A):
None

General Information

Vendors

  • apache,
  • debian,
  • oracle,
  • qos

Products

  • communications application session controller 3.9m0p1,
  • communications billing and revenue management 12.0.0.3.0,
  • communications billing and revenue management 7.5.0.23.0,
  • communications eagle ftp table base retrieval 4.5,
  • communications offline mediation controller 12.0.0.3.0,
  • communications services gatekeeper 7.0,
  • communications unified inventory management 7.3.0,
  • communications unified inventory management 7.4.0,
  • data integrator 12.2.1.3.0,
  • data integrator 12.2.1.4.0,
  • debian linux 10.0,
  • debian linux 11.0,
  • debian linux 9.0,
  • enterprise manager for peoplesoft 13.4.1.1,
  • financial services analytical applications infrastructure,
  • financial services institutional performance analytics 8.0.6,
  • financial services institutional performance analytics 8.1.0,
  • financial services institutional performance analytics 8.7.0,
  • financial services market risk measurement and management 8.0.6,
  • financial services market risk measurement and management 8.0.8,
  • financial services market risk measurement and management 8.1.0,
  • financial services price creation and discovery 8.0.6,
  • financial services price creation and discovery 8.0.7,
  • financial services retail customer analytics 8.0.6,
  • flexcube core banking,
  • flexcube core banking 5.2.0,
  • flexcube private banking 12.0.0,
  • flexcube private banking 12.1.0,
  • health sciences information manager 3.0.1,
  • insurance insbridge rating and underwriting,
  • insurance insbridge rating and underwriting 5.6.1.0,
  • insurance policy administration j2ee 10.2.0.37,
  • insurance policy administration j2ee 10.2.4.12,
  • insurance policy administration j2ee 11.0.2.25,
  • insurance policy administration j2ee 11.1.0.15,
  • insurance policy administration j2ee 11.2.0.26,
  • insurance rules palette 10.2.0.37,
  • insurance rules palette 10.2.4.12,
  • insurance rules palette 11.0.2.25,
  • insurance rules palette 11.1.0.15,
  • insurance rules palette 11.2.0.26,
  • jd edwards world security a9.4,
  • log4j,
  • oracle goldengate application adapters 19.1.0.0.0,
  • peoplesoft enterprise peopletools 8.56,
  • peoplesoft enterprise peopletools 8.57,
  • peoplesoft enterprise peopletools 8.58,
  • policy automation,
  • policy automation connector for siebel 10.4.6,
  • policy automation for mobile devices,
  • primavera unifier 18.8,
  • primavera unifier 19.12,
  • reload4j,
  • retail advanced inventory planning 14.1,
  • retail assortment planning 15.0.3.0,
  • retail assortment planning 16.0.3.0,
  • retail bulk data integration 15.0.3.0,
  • retail bulk data integration 16.0.3.0,
  • retail customer management and segmentation foundation 16.0,
  • retail customer management and segmentation foundation 17.0,
  • retail customer management and segmentation foundation 18.0,
  • retail customer management and segmentation foundation 19.0,
  • retail eftlink 15.0.2,
  • retail eftlink 16.0.3,
  • retail eftlink 17.0.2,
  • retail eftlink 18.0.1,
  • retail eftlink 19.0.1,
  • retail insights cloud service suite 19.0,
  • retail integration bus 14.1,
  • retail integration bus 15.0,
  • retail integration bus 16.0,
  • retail order broker cloud service 16.0,
  • retail order broker cloud service 18.0,
  • retail order broker cloud service 19.0,
  • retail order broker cloud service 19.1,
  • retail order broker cloud service 19.2,
  • retail order broker cloud service 19.3,
  • retail predictive application server 14.1.3.0,
  • retail predictive application server 15.0.3.0,
  • retail predictive application server 16.0.3.0,
  • retail xstore point of service 15.0.4,
  • retail xstore point of service 16.0.6,
  • retail xstore point of service 17.0.4,
  • retail xstore point of service 18.0.3,
  • retail xstore point of service 19.0.2,
  • siebel apps - marketing,
  • siebel ui framework,
  • spatial and graph 12.2.0.1,
  • spatial and graph 18c,
  • spatial and graph 19c,
  • storagetek acsls 8.5.1,
  • storagetek tape analytics sw tool 2.3.1,
  • utilities framework,
  • utilities framework 2.2.0.0.0,
  • utilities framework 4.2.0.2.0,
  • utilities framework 4.2.0.3.0,
  • utilities framework 4.4.0.0.0,
  • utilities framework 4.4.0.2.0,
  • weblogic server 10.3.6.0.0

References

Advisory

Additional Info

Technical Analysis