Critical vulnerability in log4net

Question

Critical vulnerability in log4net

Closed this issue 3 years ago · 5 comments

thijs1970 commented 4 years ago

A critical vulnerability was discovered in file log4net. The CVE Dictionary Entry for this issue is CVE-2018-1285. All log4net versions before 2.0.10 are effected. The thoth-gateway contains log4net version 1.2.20.0. Will there be a new version of thoth-gateway with the latest log4net?

Answer 1 · 2021-07-29T09:58:41.000Z

Shouldn't be a problem using the latest log4net version in future releases of the Thoth Gateway.

However, note that according to the description of the vulnerability, "Apache log4net versions before 2.0.10 do not disable XML external entities when parsing log4net configuration files. This allows for XXE-based attacks in applications that accept attacker-controlled log4net configuration files." This means an attacker must already have compromised your web server in order to use this vulnerability, in which case you have bigger problems to worry about...

Answer 2 · 2021-07-29T10:07:08.000Z

Thanks for your reply. I will manually replace the log4net file with the newest version on the server and make my network administrator happy again.

Answer 3 · 2021-10-14T11:45:20.000Z

Note to self: log4net release notes here: http://logging.apache.org/log4net/release/release-notes.html

Answer 4 · 2021-11-23T19:58:39.000Z

Fixed in upcoming v1.4.5 release, which includes log4net 20.0.12.0.

Answer 5 · 2021-11-23T20:40:46.000Z

Thank you very much