Strix
26.1K

CVE-2020-9488

LOWCVSS 3.7/10EPSS 7.81%

Last modified

CVE-2020-9488 is a low-severity vulnerability rated 3.7/10 on the CVSS scale. Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender. EPSS estimates a 7.81% chance of exploitation in the next 30 days.

Description

Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender. Fixed in Apache Log4j 2.12.3 and 2.13.1

Metrics

CVSS 3.1
3.7/10

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

EPSS Probability
7.81%

93.9th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersions
ApacheLog4j>= 2.0, < 2.3.2
ApacheLog4j>= 2.4, < 2.12.3
ApacheLog4j>= 2.13.0, < 2.13.2
OracleCommunications Application Session Controller3.9m0p1
OracleCommunications Billing And Revenue Management7.5.0.23.0
OracleCommunications Billing And Revenue Management12.0.0.3.0
OracleCommunications Eagle Ftp Table Base Retrieval4.5
OracleCommunications Offline Mediation Controller12.0.0.3.0
OracleCommunications Services Gatekeeper7.0
OracleCommunications Unified Inventory Management7.3.0
OracleCommunications Unified Inventory Management7.4.0
OracleData Integrator12.2.1.3.0
OracleData Integrator12.2.1.4.0
OracleEnterprise Manager For Peoplesoft13.4.1.1
OracleFinancial Services Analytical Applications Infrastructure>= 8.0.6.0.0, <= 8.1.0.0.0
OracleFinancial Services Institutional Performance Analytics8.0.6
OracleFinancial Services Institutional Performance Analytics8.1.0
OracleFinancial Services Institutional Performance Analytics8.7.0
OracleFinancial Services Market Risk Measurement And Management8.0.6
OracleFinancial Services Market Risk Measurement And Management8.0.8
OracleFinancial Services Market Risk Measurement And Management8.1.0
OracleFinancial Services Price Creation And Discovery8.0.6
OracleFinancial Services Price Creation And Discovery8.0.7
OracleFinancial Services Retail Customer Analytics8.0.6
OracleFlexcube Core Banking>= 11.5.0, <= 11.7.0
OracleFlexcube Core Banking5.2.0
OracleFlexcube Private Banking12.0.0
OracleFlexcube Private Banking12.1.0
OracleHealth Sciences Information Manager3.0.1
OracleInsurance Insbridge Rating And Underwriting>= 5.0.0.0, <= 5.6.0.0
OracleInsurance Insbridge Rating And Underwriting5.6.1.0
OracleInsurance Policy Administration J2ee10.2.0.37
OracleInsurance Policy Administration J2ee10.2.4.12
OracleInsurance Policy Administration J2ee11.0.2.25
OracleInsurance Policy Administration J2ee11.1.0.15
OracleInsurance Policy Administration J2ee11.2.0.26
OracleInsurance Rules Palette10.2.0.37
OracleInsurance Rules Palette10.2.4.12
OracleInsurance Rules Palette11.0.2.25
OracleInsurance Rules Palette11.1.0.15
OracleInsurance Rules Palette11.2.0.26
OracleJd Edwards World Securitya9.4
OracleOracle Goldengate Application Adapters19.1.0.0.0
OraclePeoplesoft Enterprise Peopletools8.56
OraclePeoplesoft Enterprise Peopletools8.57
OraclePeoplesoft Enterprise Peopletools8.58
OraclePolicy Automation>= 12.2.0, <= 12.2.20
OraclePolicy Automation Connector For Siebel10.4.6
OraclePolicy Automation For Mobile Devices>= 12.2.0, <= 12.2.20
OraclePrimavera Unifier18.8

Showing 50 of 101 affected configurations. See NVD for the full list.

References

Timeline

Published
Last Modified
Status
Modified

Frequently Asked Questions

What is CVE-2020-9488?
Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender. Fixed in Apache Log4j 2.12.3 and 2.13.1
How severe is CVE-2020-9488?
CVE-2020-9488 has a CVSS score of 3.7/10 (LOW severity). The EPSS model estimates a 7.81% probability of exploitation in the next 30 days.
How do I fix CVE-2020-9488?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2020-9488?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST