CVE-2018-1285 - apache log4net vulnerability

Phillip Jubb
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
August 8, 2021

Recently our fortinet security device has been reporting a vulnerability on my dev machine, stating the Apche log4net is vulverable.

It turns out it is tigger on log4net.dll inside my sourctree program folder on windows 10.

My IT manager is keen for me to remove sourcetree but as I use it regularly, I don;t want to lose this tool.

 

Is anyone else have troubles with this CVE?  Where might I go to report a issue? 

4 answers

Comments for this post are closed

Community moderators have prevented the ability to post new answers.

Post a new question

2 votes
Vipin Yadav
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
January 28, 2022

It has been taken care and will be released soon in next release of Sourcetree 3.4.8 in which log4net is updated to v.2.0.14

Thanks,

Craig.Waddington
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
March 28, 2022

Hi @Vipin Yadav 

We are using 3.4.8 and it is still reporting as Vulnerable for both OpenSSL and Log4net.dll, we have over 300 devices using Sourcetree.

Can you please advise.

OpenSSL is 1.1.1.10

Version.png

OpenSSL.version1.png

 

Vulnerable.png

Vipin Yadav
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
March 28, 2022

It looks like that dll is found in old version. So you need to remove app-3.4.7 from C:\Users\XXX\AppData\Local\SourceTree. When there is any version of Sourcetree is available then it gets downloaded into C:\Users\XXX\AppData\Local\SourceTree with new folder and we updates from there. Currently old version cleanup from AppData is not supported.  

Matt Perkins
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
April 9, 2022

What about the openssl.exe? That is not in the app-3.4.7 directory. What do we do about this?

2 votes
Albert
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
September 1, 2021

Yes we have the same issue and we are waiting for an Update. If i'm not wrong they have to update  log4net.dll to v.2.0.12

1 vote
Rene
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
December 10, 2021

Same here. December now, using 3.4.7, issue still present...

Kushal
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
December 10, 2021

Hi Rene,

 

Apparently, no features which allow the Apache log4net vulnerability to be exploited have been implemented. Theoretically, even if Fortinet reports the CVE, it would be safe to say that it cannot be used to cause a breach.

 

From my understanding, we will need to wait for a major update, probably 4.x.x for the Apache log4net version to be changed.

 

Let's add a vote each and watch the issue to motivate the change.

1 vote
Kushal
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
September 1, 2021

CVE-2018-1285 Description

Apache log4net versions before 2.0.10 do not disable XML external entities when parsing log4net configuration files. This allows for XXE-based attacks in applications that accept attacker-controlled log4net configuration files.

 

Observation

Forticlient reports the vulnerability as seen below:

CVE-2018-1285 - apache log4net vulnerability.PNG

The issue has been reported here:

Source Tree for windows - v3.4.5: security Vulnerability CVE-2018-1285 for log4net 

Add vote and watch to get it resolved in future updates.

Solution

Apache log4net should be updated to version 2.0.10 or later version in the next updates.

Comments for this post are closed

Community moderators have prevented the ability to post new answers.

Post a new question

TAGS
AUG Leaders

Atlassian Community Events