Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Celebration

Earn badges and make progress

You're on your way to the next level! Join the Kudos program to earn points and save your progress.

Deleted user Avatar
Deleted user

Level 1: Seed

25 / 150 points

Next: Root

Avatar

1 badge earned

Collect

Participate in fun challenges

Challenges come and go, but your rewards stay with you. Do more to earn more!

Challenges
Coins

Gift kudos to your peers

What goes around comes around! Share the love by gifting kudos to your peers.

Recognition
Ribbon

Rise up in the ranks

Keep earning points to reach the top of the leaderboard. It resets every quarter so you always have a chance!

Leaderboard

Come for the products,
stay for the community

The Atlassian Community can help you and your team get more value out of Atlassian products and practices.

Atlassian Community about banner
4,466,749
Community Members
 
Community Events
176
Community Groups

CVE-2018-1285 - apache log4net vulnerability

Recently our fortinet security device has been reporting a vulnerability on my dev machine, stating the Apche log4net is vulverable.

It turns out it is tigger on log4net.dll inside my sourctree program folder on windows 10.

My IT manager is keen for me to remove sourcetree but as I use it regularly, I don;t want to lose this tool.

 

Is anyone else have troubles with this CVE?  Where might I go to report a issue? 

4 answers

2 votes
Vipin Yadav Atlassian Team Jan 28, 2022

It has been taken care and will be released soon in next release of Sourcetree 3.4.8 in which log4net is updated to v.2.0.14

Thanks,

Hi @Vipin Yadav 

We are using 3.4.8 and it is still reporting as Vulnerable for both OpenSSL and Log4net.dll, we have over 300 devices using Sourcetree.

Can you please advise.

OpenSSL is 1.1.1.10

Version.png

OpenSSL.version1.png

 

Vulnerable.png

Vipin Yadav Atlassian Team Mar 28, 2022

It looks like that dll is found in old version. So you need to remove app-3.4.7 from C:\Users\XXX\AppData\Local\SourceTree. When there is any version of Sourcetree is available then it gets downloaded into C:\Users\XXX\AppData\Local\SourceTree with new folder and we updates from there. Currently old version cleanup from AppData is not supported.  

What about the openssl.exe? That is not in the app-3.4.7 directory. What do we do about this?

Yes we have the same issue and we are waiting for an Update. If i'm not wrong they have to update  log4net.dll to v.2.0.12

Same here. December now, using 3.4.7, issue still present...

Hi Rene,

 

Apparently, no features which allow the Apache log4net vulnerability to be exploited have been implemented. Theoretically, even if Fortinet reports the CVE, it would be safe to say that it cannot be used to cause a breach.

 

From my understanding, we will need to wait for a major update, probably 4.x.x for the Apache log4net version to be changed.

 

Let's add a vote each and watch the issue to motivate the change.

CVE-2018-1285 Description

Apache log4net versions before 2.0.10 do not disable XML external entities when parsing log4net configuration files. This allows for XXE-based attacks in applications that accept attacker-controlled log4net configuration files.

 

Observation

Forticlient reports the vulnerability as seen below:

CVE-2018-1285 - apache log4net vulnerability.PNG

The issue has been reported here:

Source Tree for windows - v3.4.5: security Vulnerability CVE-2018-1285 for log4net 

Add vote and watch to get it resolved in future updates.

Solution

Apache log4net should be updated to version 2.0.10 or later version in the next updates.

Suggest an answer

Log in or Sign up to answer
TAGS

Atlassian Community Events