Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

XML External Entity attack in log4net (CVE-2018-1285) #2266

Closed
gep13 opened this issue May 10, 2021 · 0 comments
Closed

XML External Entity attack in log4net (CVE-2018-1285) #2266

gep13 opened this issue May 10, 2021 · 0 comments
Assignees
@gep13
Labels
5 - Released Security
Milestone
0.11.0

Comments

@gep13
Copy link
Member

gep13 commented May 10, 2021
edited by ferventcoder
Loading

Enhancement Information

We need to update to the latest log4net package version in all Chocolatey code bases, including this one. This is due to an:

XML External Entity attack in log4net

which can:

Apache log4net before 2.0.10 does not disable XML external entities when parsing log4net configuration files. This could allow for XXE-based attacks in applications that accept arbitrary configuration files from users.

The recommendation is to update to at least 2.0.10, however, we have decided to go straight to 2.0.12.

References

Notes

It's important to point out to exploit this with Chocolatey, someone would need administrative access to the machine due to the folder locations where the log4net config file would need to be placed. With administrative privileges already, it's unlikely that they would need to exploit this vulnerability. Thus why a longer lead time for this. While the exploit was highly critical in other applications, due to Chocolatey's security on the file system, the criticality was reduced to patch during next release cycle.
@gep13 gep13 added this to the 0.10.16 milestone May 10, 2021
@gep13 gep13 self-assigned this May 10, 2021
@jetersen jetersen mentioned this issue Jun 12, 2021
Merged
gep13 added a commit that referenced this issue Sep 2, 2021
@gep13
(#2266) Update to latest log4net package
c208a6e 
 - This is required due to an identified vulnerability in earlier
versions
of the log4net assembly:

GHSA-2cwj-8chv-9pp9
gep13 added a commit that referenced this issue Sep 2, 2021
@gep13
Merge branch 'feature/GH-2266' into stable
9a08d1a 
* feature/GH-2266:
  (#2266) Update to latest log4net package
gep13 added a commit that referenced this issue Sep 2, 2021
@gep13
Merge branch 'stable'
8e6b9f1 
* stable:
  (maint) Update release notes link
  (doc) Update release notes
  (version) 0.11.0
  (#2266) Update to latest log4net package
  (doc) Add release notes for 0.11.0
  (#2333) Disable loading of DLL under extensions path
  (version) 0.11.0-beta
  (maint) Corrected version number
  (#2322) Use PNG for Nuspec IconUrl
@gep13 gep13 changed the title TBD XML External Entity attack in log4net (CVE-2018-1285) Sep 2, 2021
@gep13 gep13 closed this as completed Sep 2, 2021
gep13 added a commit to gep13/choco that referenced this issue Sep 9, 2021
@gep13
(chocolatey#2266) Update nuspec to what is being used
58a63da 
All Chocolatey products are now using log4net 2.0.12, however, the
nuspec file for the chocolatey.lib package still has a reference to the
older 2.0.3 version.

The decision has been taken that this doesn't warrant a new release of
this package.
gep13 added a commit that referenced this issue Sep 9, 2021
@gep13
Merge branch 'stable'
ec864f8 
* stable:
  (test) Add unit tests for ArgumentsUtility class
  (#2266) Update nuspec to what is being used
gep13 added a commit that referenced this issue Sep 21, 2021
@gep13
(#2266) Update nuspec to what is being used
12094a3 
All Chocolatey products are now using log4net 2.0.12, however, the
nuspec file for the chocolatey.lib package still has a reference to the
older 2.0.3 version.

The decision has been taken that this doesn't warrant a new release of
this package.
gep13 added a commit that referenced this issue Sep 23, 2021
@gep13
Merge branch 'master' into develop
19d7dd1 
* master: (21 commits)
  (version) v0.11.2
  (#2374) Remove setting of Authorization property
  (version) v0.11.2-beta
  (#2374) Fix variable name when setting header
  Revert "(maint) Added missing link to milestone"
  Revert "Merge branch 'stable'"
  Revert "(version) v0.12.0-alpha"
  Revert "Merge branch 'stable'"
  Revert "Merge branch 'stable'"
  Revert "Merge branch 'stable'"
  Revert "Merge branch 'stable'"
  (doc) Remove Travis build badge
  (#2356) Remove .travis.yml file
  (doc) Fix typo in community feed URL
  (test) Add unit tests for ArgumentsUtility class
  (#2266) Update nuspec to what is being used
  (doc) Update changelogs to point to release notes
  (version) v0.12.0-alpha
  (maint) Update generation script for new commands
  (maint) Added missing link to milestone
  ...

# Conflicts:
#	.uppercut
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@gep13 gep13

Labels
5 - Released Security
Projects
None yet
Milestone
0.11.0
Development

No branches or pull requests
1 participant
@gep13