[GHSA-6hg6-v5c8-fphq] The fix for CVE-2025-68161 https://logging.apache.org...

[ppkarwasz]

Updates

• Affected products
• CVSS v4
• Description
• Source code location
• Summary

Comments
Improve formatting and component identity based on:

• VDR
• Security page

[Copilot]

Pull request overview

Updates the unreviewed advisory record for GHSA-6hg6-v5c8-fphq (CVE-2026-34477) to better reflect Apache Log4j Core impact/metadata and improve the rendered advisory text.

Changes:

• Added a clearer summary and reformatted details with markdown links.
• Replaced the placeholder/empty affected list with explicit Maven package ranges for Log4j Core (2.x and 3.0.0 pre-releases).
• Simplified the CVSS v4 vector string and added an explicit PACKAGE reference URL.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The details string still contains multiple double-spaces (e.g., "The fix for CVE-2025-68161" and before the log4j2.sslVerifyHostName link). Since this PR is improving formatting, please normalize these to single spaces for readability and consistent rendering.

Suggested change

"details": "The fix for CVE-2025-68161 was incomplete: it addressed hostname verification only when enabled via the [`log4j2.sslVerifyHostName`](https://logging.apache.org/log4j/2.x/manual/systemproperties.html#log4j2.sslVerifyHostName) system property, but not when configured through the [`verifyHostName`](https://logging.apache.org/log4j/2.x/manual/appenders/network.html#SslConfiguration-attr-verifyHostName) attribute of the `<Ssl>` element.\n\nAlthough the `verifyHostName` configuration attribute was introduced in Log4j Core 2.12.0, it was silently ignored in all versions through 2.25.3, leaving TLS connections vulnerable to interception regardless of the configured value.\n\nA network-based attacker may be able to perform a man-in-the-middle attack when all of the following conditions are met:\n\n * An SMTP, Socket, or Syslog appender is in use.\n * TLS is configured via a nested <Ssl> element.\n * The attacker can present a certificate issued by a CA trusted by the appender's configured trust store, or by the default Java trust store if none is configured.\n\nThis issue does not affect users of the HTTP appender, which uses a separate [`verifyHostname`](https://logging.apache.org/log4j/2.x/manual/appenders/network.html#HttpAppender-attr-verifyHostName) attribute that was not subject to this bug and verifies host names by default.\n\nUsers are advised to upgrade to Apache Log4j Core 2.25.4, which corrects this issue.",

"details": "The fix for CVE-2025-68161 was incomplete: it addressed hostname verification only when enabled via the [`log4j2.sslVerifyHostName`](https://logging.apache.org/log4j/2.x/manual/systemproperties.html#log4j2.sslVerifyHostName) system property, but not when configured through the [`verifyHostName`](https://logging.apache.org/log4j/2.x/manual/appenders/network.html#SslConfiguration-attr-verifyHostName) attribute of the `<Ssl>` element.\n\nAlthough the `verifyHostName` configuration attribute was introduced in Log4j Core 2.12.0, it was silently ignored in all versions through 2.25.3, leaving TLS connections vulnerable to interception regardless of the configured value.\n\nA network-based attacker may be able to perform a man-in-the-middle attack when all of the following conditions are met:\n\n * An SMTP, Socket, or Syslog appender is in use.\n * TLS is configured via a nested <Ssl> element.\n * The attacker can present a certificate issued by a CA trusted by the appender's configured trust store, or by the default Java trust store if none is configured.\n\nThis issue does not affect users of the HTTP appender, which uses a separate [`verifyHostname`](https://logging.apache.org/log4j/2.x/manual/appenders/network.html#HttpAppender-attr-verifyHostName) attribute that was not subject to this bug and verifies host names by default.\n\nUsers are advised to upgrade to Apache Log4j Core 2.25.4, which corrects this issue.",

[ppkarwasz]

Sounds reasonable and could be added.