You're on your way to the next level! Join the Kudos program to earn points and save your progress.
Level 1: Seed
25 / 150 points
1 badge earned
Challenges come and go, but your rewards stay with you. Do more to earn more!
What goes around comes around! Share the love by gifting kudos to your peers.
Keep earning points to reach the top of the leaderboard. It resets every quarter so you always have a chance!
Join now to unlock these features and more
Recently our fortinet security device has been reporting a vulnerability on my dev machine, stating the Apche log4net is vulverable.
It turns out it is tigger on log4net.dll inside my sourctree program folder on windows 10.
My IT manager is keen for me to remove sourcetree but as I use it regularly, I don;t want to lose this tool.
Is anyone else have troubles with this CVE? Where might I go to report a issue?
It looks like that dll is found in old version. So you need to remove app-3.4.7 from C:\Users\XXX\AppData\Local\SourceTree. When there is any version of Sourcetree is available then it gets downloaded into C:\Users\XXX\AppData\Local\SourceTree with new folder and we updates from there. Currently old version cleanup from AppData is not supported.
Apparently, no features which allow the Apache log4net vulnerability to be exploited have been implemented. Theoretically, even if Fortinet reports the CVE, it would be safe to say that it cannot be used to cause a breach.
From my understanding, we will need to wait for a major update, probably 4.x.x for the Apache log4net version to be changed.
Let's add a vote each and watch the issue to motivate the change.
Apache log4net versions before 2.0.10 do not disable XML external entities when parsing log4net configuration files. This allows for XXE-based attacks in applications that accept attacker-controlled log4net configuration files.
Forticlient reports the vulnerability as seen below:
The issue has been reported here:
Add vote and watch to get it resolved in future updates.
Apache log4net should be updated to version 2.0.10 or later version in the next updates.