<!--X-Body-Begin-->
<!--X-User-Header-->
oss-sec
mailing list archives
<!--X-User-Header-End-->
<!--X-TopPNI-->
By Date
By Thread
</form>
<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
[CVE-2018-1285] XXE vulnerability in Apache log4net
<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->
From: Matt Sicker <mattsicker () apache org>
Date: Sun, 10 May 2020 13:21:33 -0500
<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->
<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
Summary: Apache log4net does not disable XML external entities when
parsing log4net configuration files. This could allow for XXE-based
attacks in applications that accept arbitrary configuration files from
users. [1]
Affected: log4net up to 2.0.8
Mitigation: as there are no further releases of log4net beyond 2.0.8,
and the Logging Services PMC has voted [2] to mark the project
dormant, users should not allow arbitrary configuration files to be
specified from untrusted sources. While this is arguably a
vulnerability, misuse of any framework allowing untrusted input to
configure things is always a bad idea.
[1]: https://issues.apache.org/jira/browse/LOG4NET-575
[2]:
https://lists.apache.org/thread.html/r6691036b0f85419e8bc97f6f522b8c353dd250b0a329164167b021a6%40%3Cdev.logging.apache.org%3E
--
Matt Sicker
Secretary, Apache Software Foundation
VP Logging Services, ASF
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->
By Date
By Thread
Current thread:
[CVE-2018-1285] XXE vulnerability in Apache log4net Matt Sicker (May 10)
<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->