Recently our fortinet security device has been reporting a vulnerability on my dev machine, stating the Apche log4net is vulverable.
It turns out it is tigger on log4net.dll inside my sourctree program folder on windows 10.
My IT manager is keen for me to remove sourcetree but as I use it regularly, I don;t want to lose this tool.
Is anyone else have troubles with this CVE? Where might I go to report a issue?
Community moderators have prevented the ability to post new answers.
It has been taken care and will be released soon in next release of Sourcetree 3.4.8 in which log4net is updated to v.2.0.14
Thanks,
Hi @Vipin Yadav
We are using 3.4.8 and it is still reporting as Vulnerable for both OpenSSL and Log4net.dll, we have over 300 devices using Sourcetree.
Can you please advise.
OpenSSL is 1.1.1.10
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
It looks like that dll is found in old version. So you need to remove app-3.4.7 from C:\Users\XXX\AppData\Local\SourceTree. When there is any version of Sourcetree is available then it gets downloaded into C:\Users\XXX\AppData\Local\SourceTree with new folder and we updates from there. Currently old version cleanup from AppData is not supported.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
What about the openssl.exe? That is not in the app-3.4.7 directory. What do we do about this?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Yes we have the same issue and we are waiting for an Update. If i'm not wrong they have to update log4net.dll to v.2.0.12
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Same here. December now, using 3.4.7, issue still present...
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Rene,
Apparently, no features which allow the Apache log4net vulnerability to be exploited have been implemented. Theoretically, even if Fortinet reports the CVE, it would be safe to say that it cannot be used to cause a breach.
From my understanding, we will need to wait for a major update, probably 4.x.x for the Apache log4net version to be changed.
Let's add a vote each and watch the issue to motivate the change.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Apache log4net versions before 2.0.10 do not disable XML external entities when parsing log4net configuration files. This allows for XXE-based attacks in applications that accept attacker-controlled log4net configuration files.
Forticlient reports the vulnerability as seen below:
The issue has been reported here:
Source Tree for windows - v3.4.5: security Vulnerability CVE-2018-1285 for log4net
Add vote and watch to get it resolved in future updates.
Apache log4net should be updated to version 2.0.10 or later version in the next updates.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Community moderators have prevented the ability to post new answers.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.