Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

Earn badges and make progress

You're on your way to the next level! Join the Kudos program to earn points and save your progress.

Deleted user Avatar
Deleted user

Level 1: Seed

25 / 150 points

Next: Root


1 badge earned


Participate in fun challenges

Challenges come and go, but your rewards stay with you. Do more to earn more!


Gift kudos to your peers

What goes around comes around! Share the love by gifting kudos to your peers.


Rise up in the ranks

Keep earning points to reach the top of the leaderboard. It resets every quarter so you always have a chance!


CVE-2018-1285 - apache log4net vulnerability

Recently our fortinet security device has been reporting a vulnerability on my dev machine, stating the Apche log4net is vulverable.

It turns out it is tigger on log4net.dll inside my sourctree program folder on windows 10.

My IT manager is keen for me to remove sourcetree but as I use it regularly, I don;t want to lose this tool.


Is anyone else have troubles with this CVE?  Where might I go to report a issue? 

4 answers

2 votes
Vipin Yadav
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
Jan 28, 2022

It has been taken care and will be released soon in next release of Sourcetree 3.4.8 in which log4net is updated to v.2.0.14


Hi @Vipin Yadav 

We are using 3.4.8 and it is still reporting as Vulnerable for both OpenSSL and Log4net.dll, we have over 300 devices using Sourcetree.

Can you please advise.

OpenSSL is





Vipin Yadav
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
Mar 28, 2022

It looks like that dll is found in old version. So you need to remove app-3.4.7 from C:\Users\XXX\AppData\Local\SourceTree. When there is any version of Sourcetree is available then it gets downloaded into C:\Users\XXX\AppData\Local\SourceTree with new folder and we updates from there. Currently old version cleanup from AppData is not supported.  

What about the openssl.exe? That is not in the app-3.4.7 directory. What do we do about this?

Yes we have the same issue and we are waiting for an Update. If i'm not wrong they have to update  log4net.dll to v.2.0.12

Same here. December now, using 3.4.7, issue still present...

Hi Rene,


Apparently, no features which allow the Apache log4net vulnerability to be exploited have been implemented. Theoretically, even if Fortinet reports the CVE, it would be safe to say that it cannot be used to cause a breach.


From my understanding, we will need to wait for a major update, probably 4.x.x for the Apache log4net version to be changed.


Let's add a vote each and watch the issue to motivate the change.

CVE-2018-1285 Description

Apache log4net versions before 2.0.10 do not disable XML external entities when parsing log4net configuration files. This allows for XXE-based attacks in applications that accept attacker-controlled log4net configuration files.



Forticlient reports the vulnerability as seen below:

CVE-2018-1285 - apache log4net vulnerability.PNG

The issue has been reported here:

Source Tree for windows - v3.4.5: security Vulnerability CVE-2018-1285 for log4net 

Add vote and watch to get it resolved in future updates.


Apache log4net should be updated to version 2.0.10 or later version in the next updates.

Suggest an answer

Log in or Sign up to answer
AUG Leaders

Atlassian Community Events