log4net.dll version is affected by CVE-2018-1285

[caseyswitzer]

Hello,

Recently a host-based vulnerability scan picked up superputty's log4net.dll as susceptible to CVE-2018-1285.
https://nvd.nist.gov/vuln/detail/CVE-2018-1285

Can you confirm if this is a false positive?

Some employers prohibit using software in their environment that contain critical vulnerabilities.

Thanks!

[jimradford]

I was mistaken, we are using 2.0.10 and are not affected by the CVE you listed.

Regards,

Jim

[jimradford]

Unaffected

[tomangert]

Wasn't that package updated after the latest release?

Is there a way to download a later build that includes this?

[caseyswitzer]

I'm running the latest stable - 1.4.0.9. It appears that for some reason that log4net.dll is being identified as version 1.2.13.0. Maybe there is a version number or identifier in this file, or file's metadata, that includes this value. Either the vulnerability scan software is incorrectly picking up the version here or maybe a version number wasn't updated on the .dll somehow.

[jimradford]

So there are a couple issues related to this, 1) the last "packaged" release (1.4.0.9) I believe has an older version of log4net as was originally reported, as far as the version is concerned it is susceptible to the vulnerability listed (although I have not spent any time to find out if the way we specifically use the library is vulnerable or not). 2) the automatic build server no longer stores artifacts, so the "nightly" or development version is no available packaged at this time, so until a new release is packaged, it will require that the source be downloaded and compiled to run the latest development version.

As a temporary "fix" I have rebuilt the last development version so the artifacts will be around for 30 days. Hopefully by then I can push out a new packaged release. Downloadable from here: https://ci.appveyor.com/project/jimradford/superputty/build/artifacts (for about 30 days)

[jimradford]

This has been fixed as of 1.4.10, for earlier versions you can either replace the log4net.dll with a newer version or download an artifact build.

[DeanUWTSD]

Hello

log4net.dll 2.0.8 is still affected by the vulnerability but is fixed in 2.0.10. So superputty 1.4.10 is still being picked up by vulnerability scans.

[oopoopoop]

I was mistaken, we are using 2.0.10 and are not affected by the CVE you listed.

Regards,

Jim

https://github.com/jimradford/superputty/releases/tag/1.4.10
Both the zip and msi installer downloaded from the above link are still using log4net.dll 2.0.8, which is still affected by the vulnerability CVE-2018-1285.

Should we reopen this issue?

[oopoopoop]

btw, tried to manually replace the dll downloaded from this link.

SuperPuTTy won't start afterwards.