Vulnerability Description
Apache log4net versions before 2.0.10 do not disable XML external entities when parsing log4net configuration files. This allows for XXE-based attacks in applications that accept attacker-controlled log4net configuration files.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache | Log4Net | < 2.0.10 |
| Fedoraproject | Fedora | 30 |
| Oracle | Application Testing Suite | 13.3.0.1 |
| Oracle | Hospitality Opera 5 | 5.5 |
| Oracle | Hospitality Simphony | 18.2.7.2 |
| Netapp | Manageability Software Development Kit | - |
| Netapp | Snapcenter | - |
Related Weaknesses (CWE)
References
- https://issues.apache.org/jira/browse/LOG4NET-575Issue TrackingVendor Advisory
- https://lists.apache.org/thread.html/r00b16ac5e0bbf7009a0d167ed58f3f94d0033b0f4b
- https://lists.apache.org/thread.html/r33564de316d4e4ba0fea1d4d079e62cde1ffe64369
- https://lists.apache.org/thread.html/r525cbbd7db0aef4a114cf60de8439aa285decc3490
- https://lists.apache.org/thread.html/r6543acafca3e2d24ff4b0c364a91540cb9378977ff
- https://lists.apache.org/thread.html/r7ab6b6e702f11a6f77b0db2af2d5e5532f56ae4b99
- https://lists.apache.org/thread.html/r9de86a185575e6c5f92e2a70a1d2e2e9514dc43412
- https://lists.apache.org/thread.html/rd2d72a017e238d1f345f9d14e075c81be16fc68a41
- https://lists.apache.org/thread.html/rdbac24c945ca5c69cd5348b5ac023bc625768f6533
- https://lists.apache.org/thread.html/reab1c277c95310bad1038255e0757857b2fbe29141Mailing ListVendor Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://security.netapp.com/advisory/ntap-20220909-0001/Third Party Advisory
- https://www.oracle.com/security-alerts/cpuApr2021.htmlThird Party Advisory
FAQ
What is CVE-2018-1285?
CVE-2018-1285 is a vulnerability with a CVSS score of 9.8 (CRITICAL). Apache log4net versions before 2.0.10 do not disable XML external entities when parsing log4net configuration files. This allows for XXE-based attacks in applications that accept attacker-controlled l...
How severe is CVE-2018-1285?
CVE-2018-1285 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2018-1285?
Check the references section above for vendor advisories and patch information. Affected products include: Apache Log4Net, Fedoraproject Fedora, Oracle Application Testing Suite, Oracle Hospitality Opera 5, Oracle Hospitality Simphony.