Date: Sun, 10 May 2020 13:21:33 -0500 From: Matt Sicker <mattsicker@...che.org> To: oss-security@...ts.openwall.com Subject: [CVE-2018-1285] XXE vulnerability in Apache log4net Summary: Apache log4net does not disable XML external entities when parsing log4net configuration files. This could allow for XXE-based attacks in applications that accept arbitrary configuration files from users.  Affected: log4net up to 2.0.8 Mitigation: as there are no further releases of log4net beyond 2.0.8, and the Logging Services PMC has voted  to mark the project dormant, users should not allow arbitrary configuration files to be specified from untrusted sources. While this is arguably a vulnerability, misuse of any framework allowing untrusted input to configure things is always a bad idea. : https://issues.apache.org/jira/browse/LOG4NET-575 : https://lists.apache.org/thread.html/r6691036b0f85419e8bc97f6f522b8c353dd250b0a329164167b021a6%40%3Cdev.logging.apache.org%3E -- Matt Sicker Secretary, Apache Software Foundation VP Logging Services, ASF
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.