FortiClient vulnerability scan reports issue with Apache log4net.dll 1.2.11.0

Description

Security Vulnerability CVE-2018-1285 for log4net

Critical
Date Released: 2020-05-11
Recommended Action:
Download and install patches as instructed
Description:
Apache log4net versions before 2.0.10 do not disable XML external entities when parsing log4net configuration files. This allows for XXE-based attacks in applications that accept attacker-controlled log4net configuration files.
Affected Products:
Apache log4net
CVE IDs:
CVE-2018-1285
Vendor Information:
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-1285
Vendor Patch Download:
https://logging.apache.org/log4net/download_log4net.html

Environment

None

Attachments

Log4net_FortiClient2.jpg

20 Aug, 2021

Log4net_FortiClient.jpg

20 Aug, 2021

Linked work items

duplicates

BUG-2826

CVE-2018-1285 for log4net

Activity

Jens Klingen

August 22, 2021 at 3:28 PM

Thanks for reporting this.
As someone else has already reported the same, I am closing this as a duplicate. Please refer to https://greenshot.atlassian.net/browse/BUG-2826#icft=BUG-2826 for further reference.

Resize work item view side panel

Duplicate

Details

Assignee

Unassigned

Reporter

Jay Perrin

Affects versions

1.2.10

Components

Core

Priority

Major

Created August 20, 2021 at 4:09 PM

Updated August 22, 2021 at 3:28 PM

Resolved August 22, 2021 at 3:28 PM