oss-sec mailing list archives
[CVE-2018-1285] XXE vulnerability in Apache log4net
From: Matt Sicker <mattsicker () apache org>
Date: Sun, 10 May 2020 13:21:33 -0500
Summary: Apache log4net does not disable XML external entities when parsing log4net configuration files. This could allow for XXE-based attacks in applications that accept arbitrary configuration files from users. [1] Affected: log4net up to 2.0.8 Mitigation: as there are no further releases of log4net beyond 2.0.8, and the Logging Services PMC has voted [2] to mark the project dormant, users should not allow arbitrary configuration files to be specified from untrusted sources. While this is arguably a vulnerability, misuse of any framework allowing untrusted input to configure things is always a bad idea. [1]: https://issues.apache.org/jira/browse/LOG4NET-575 [2]: https://lists.apache.org/thread.html/r6691036b0f85419e8bc97f6f522b8c353dd250b0a329164167b021a6%40%3Cdev.logging.apache.org%3E -- Matt Sicker Secretary, Apache Software Foundation VP Logging Services, ASF
Current thread:
- [CVE-2018-1285] XXE vulnerability in Apache log4net Matt Sicker (May 10)