| Package | apache-log4j2 |
|---|---|
| Version | 2.17.1-1~deb10u2 (buster) |
| Related CVEs | CVE-2025-68161 |
In Apache Log4j2, a Java Logging Framework, the Socket Appender does not perform TLS hostname verification of the peer certificate, even when the verifyHostName configuration attribute or the log4j2.sslVerifyHostName system property is set to true. This issue may allow a man-in-the-middle attacker to intercept or redirect log traffic under specific and hard to exploit conditions.
For Debian 10 buster, these problems have been fixed in version 2.17.1-1~deb10u2.
We recommend that you upgrade your apache-log4j2 packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.