Impact of CVE-2025-68161 affecting Log4j in Elasticsearch on Enterprise Vault

Description

CVE-2025-68161: Apache Log4j runtime Socket Appender vulnerability

A flaw was discovered in Elasticsearch, where the Socket Appender in Apache Log4j Core versions 2.0-beta9 through 2.25.2 does not perform TLS hostname verification of the peer certificate, even when the verifyHostName https://logging.apache.org/log4j/2.x/manual/appenders/network.html#SslConfiguration-attr-verifyHostName configuration attribute or the log4j2.sslVerifyHostName https://logging.apache.org/log4j/2.x/manual/systemproperties.html#log4j2.sslVerifyHostName system property is set to true. This issue may allow a man-in-the-middle attacker to intercept or redirect log traffic under the following conditions: * The attacker is able to intercept or redirect network traffic between the client and the log receiver. * The attacker can present a server certificate issued by a certification authority trusted by the Socket Appender's configured trust store (or by the default Java trust store if no custom trust store is configured). Users are advised to upgrade to Apache Log4j Core version 2.25.3, which addresses this issue. As an alternative mitigation, the Socket Appender may be configured to use a private or restricted trust root to limit the set of trusted certificates.
https://nvd.nist.gov/vuln/detail/CVE-2025-68161

Affected Versions

- Log4j versions 2.0-beta9 through 2.25.2

CVSS 4.x Severity and Vector Strings

- NIST: NVD
- N/A
- NVD assessment not yet provided.
- CNA:  Apache Software Foundation
- CVSS-B 6.3 MEDIUM
- Vector:  CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:L/SA:N
 

CVSS 3.x Severity and Vector Strings

- NIST: NVD
- Base Score: 4.8 MEDIUM
- Vector:  CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

Impact

Per Elastic Support Article https://support.elastic.co/knowledge/security-ESST-c3551093-6357-49d3-b6b4-3648496ea77d:

Elasticsearch uses org.apache.logging.log4j:log4j-core at runtime as its built-in logging framework. Elasticsearch is not affected by this issue because the vulnerable code cannot be executed within the product; specifically, the vulnerable SocketAppender component is neither configured nor used by Elasticsearch. Nevertheless, org.apache.logging.log4j:log4j-core will be updated to a non-vulnerable version as part of Elasticsearch's standard maintenance practices.

While an impacted version of Log4j may be present in ElasticSearch on the Enterprise Vault servers, Enterprise Vault does not use the affected module or workflow. Therefore the vulnerability is not exposed and cannot be exploited.

Mitigation

As Enterprise Vault is not affected, no mitigation or resolution is required.

Note - It is NOT recommended to attempt upgrading the Log4j component independently as this can cause unexpected product behaviour in Enterprise Vault.

Questions

For questions or problems regarding these vulnerabilities please contact Technical Support.

Disclaimer

THE SECURITY ADVISORY IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. VERITAS TECHNOLOGIES LLC AND/OR ARCTERA US LLC SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.