Medium

Apache Log4j Core verifyHostName TLS hostname verification bypass

IdentifiersCVE-2026-34477CWE-295· Improper Certificate Validation

CVE-2026-34477 is a hostname verification flaw in Apache Log4j Core caused by an incomplete fix for CVE-2025-68161. The prior fix only enforced hostname verification when enabled through the log4j2.sslVerifyHostName system property, but did not correctly handle the verifyHostName attribute configured on a nested <Ssl> element. As a result, the verifyHostName configuration attribute, introduced in Log4j Core 2.12.0, was silently ignored in affected versions through 2.25.3, and also in 3.0.0-alpha1 through 3.0.0-beta3. This leaves TLS connections established by affected network appenders vulnerable to improper certificate hostname validation even when administrators explicitly configured hostname verification. The issue affects SMTP, Socket, and Syslog appenders using TLS via a nested <Ssl> element. Apache stated that the HTTP appender is not affected because it uses a separate verifyHostName setting that was not subject to this bug and verifies hostnames by default.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

A network-positioned attacker may be able to perform a man-in-the-middle attack against TLS-protected logging or notification traffic generated by affected Log4j Core appenders. If the attacker can present a certificate chaining to a CA trusted by the appender's configured trust store, or by the default Java trust store when no custom trust store is configured, the lack of effective hostname verification can allow interception and impersonation of the intended remote endpoint. This can compromise the confidentiality and integrity of log streams or SMTP/syslog/socket-delivered events and may enable tampering with or observation of security-relevant telemetry.

Mitigation

If you can’t patch tonight, do this now.

If immediate upgrade is not possible, reduce exposure by avoiding use of affected SMTP, Socket, or Syslog appenders with TLS configured through a nested <Ssl> element in vulnerable Log4j Core versions. Exposure is also reduced where attackers cannot obtain or present a certificate chaining to a CA trusted by the relevant trust store. The HTTP appender is not affected by this specific flaw because it uses separate hostname verification logic and verifies hostnames by default. No complete workaround equivalent to the vendor fix was provided.

Remediation

Patch, then assume compromise.

Upgrade Apache Log4j Core to version 2.25.4 or later. Apache identified 2.25.4 as the release that corrects handling of the verifyHostName attribute in nested <Ssl> TLS configuration. Affected users include Log4j Core 2.12.0 through 2.25.3 and 3.0.0-alpha1 through 3.0.0-beta3.

PUBLIC EXPLOITS

Exploits

No valid public exploits. Mallory filtered out 1 candidate as fakes, detection scripts, or README-only repos.

VALID 0 / 1 TOTALView more in app

All candidate exploits were filtered out by Mallory's validation.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

Apache Software FoundationLog4japplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

6 SOURCESView more in app

cyberthroneNews

Jun 19, 2026

The Vulnerabilities That Matter in Oracle’s June 2026 CSPU - TheCyberThrone

A vulnerability in Oracle Communications addressed as part of a consolidated fix bundled with CVE-2026-34481.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity4

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-34477

NVD

nvd.nist.gov/vuln/detail/CVE-2026-34477

MITRE CWE · CWE-295

Improper Certificate Validation

Patch

github.com/apache/logging-log4j2/pull/4075

Vendor Advisory

logging.apache.org/cyclonedx/vdr.xml

Vendor Advisory

logging.apache.org/security.html

Mailing List

lists.apache.org/thread/lkx8cl46t2bvkcwfcb2pd43ygc097lq4

Product

logging.apache.org/log4j/2.x/manual/appenders/network.html