1. Apache Log4j: Incomplete CVE Fix Left TLS Hostname Verification Configurable but Ignored
A critical security gap has been identified in Apache Log4j Core, where hostname verification—a critical safeguard against man-in-the-middle attacks—was configurable through the `<Ssl>` element but silently ignored by the software. The vulnerability stems from an incomplete fix for CVE-2025-68161, which addressed hostn...