## Apache Log4j: Incomplete CVE Fix Left TLS Hostname Verification Configurable but Ignored A critical security gap has been identified in Apache Log4j Core, where hostname verification—a critical safeguard against man-in-the-middle attacks—was configurable through the `` element but silently ignored by the software. The vulnerability stems from an incomplete fix for CVE-2025-68161, which addressed hostname verification only when enabled via the `log4j2.sslVerifyHostName` system property, leaving a parallel configuration pathway completely unpatched. The `verifyHostName` attribute of the `` element was introduced in Log4j Core version 2.12.0. According to analysis documented in the project's GitHub issue tracker, this attribute was ignored in every version through 2.25.3, meaning TLS connections relying on this configuration remained vulnerable regardless of the intended security posture. An attacker able to present a fraudulent certificate could exploit the flaw when three conditions align: an SMTP, Socket, or Syslog appender is active, TLS is configured via a nested `` element, and the attacker occupies a network position enabling interception. The vulnerability raises pressure on organizations using Log4j's network appenders with TLS, as the configuration's apparent rigor may have provided false assurance. Security teams should audit existing deployments, verify that hostname verification is functioning as intended, and monitor for patches addressing this specific bypass vector. The incomplete remediation highlights the risk of parallel configuration mechanisms in security-critical code paths—where one mitigation channel may be secured while a functionally equivalent alternative remains exposed. --- - **Source**: GitHub Issues - **Sector**: The Lab - **Tags**: cve-2025-68161, log4j-core, hostname-verification, tls-bypass, ssl-configuration - **Credibility**: unverified - **Published**: 2026-05-04 09:54:16 - **ID**: 79238 - **URL**: https://whisperx.ai/en/intel/79238