CVE-2018-1285 - apache log4net vulnerability

Phillip Jubb August 8, 2021

Recently our fortinet security device has been reporting a vulnerability on my dev machine, stating the Apche log4net is vulverable.

It turns out it is tigger on log4net.dll inside my sourctree program folder on windows 10.

My IT manager is keen for me to remove sourcetree but as I use it regularly, I don;t want to lose this tool.

 

Is anyone else have troubles with this CVE?  Where might I go to report a issue? 

4 answers

2 votes
Vipin Yadav
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
January 28, 2022

It has been taken care and will be released soon in next release of Sourcetree 3.4.8 in which log4net is updated to v.2.0.14

Thanks,

Craig.Waddington March 28, 2022

Hi @Vipin Yadav 

We are using 3.4.8 and it is still reporting as Vulnerable for both OpenSSL and Log4net.dll, we have over 300 devices using Sourcetree.

Can you please advise.

OpenSSL is 1.1.1.10

Version.png

OpenSSL.version1.png

 

Vulnerable.png

Vipin Yadav
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
March 28, 2022

It looks like that dll is found in old version. So you need to remove app-3.4.7 from C:\Users\XXX\AppData\Local\SourceTree. When there is any version of Sourcetree is available then it gets downloaded into C:\Users\XXX\AppData\Local\SourceTree with new folder and we updates from there. Currently old version cleanup from AppData is not supported.  

Matt Perkins April 9, 2022

What about the openssl.exe? That is not in the app-3.4.7 directory. What do we do about this?

2 votes
Albert September 1, 2021

Yes we have the same issue and we are waiting for an Update. If i'm not wrong they have to update  log4net.dll to v.2.0.12

1 vote
Rene December 10, 2021

Same here. December now, using 3.4.7, issue still present...

Kushal December 10, 2021

Hi Rene,

 

Apparently, no features which allow the Apache log4net vulnerability to be exploited have been implemented. Theoretically, even if Fortinet reports the CVE, it would be safe to say that it cannot be used to cause a breach.

 

From my understanding, we will need to wait for a major update, probably 4.x.x for the Apache log4net version to be changed.

 

Let's add a vote each and watch the issue to motivate the change.

1 vote
Kushal September 1, 2021

CVE-2018-1285 Description

Apache log4net versions before 2.0.10 do not disable XML external entities when parsing log4net configuration files. This allows for XXE-based attacks in applications that accept attacker-controlled log4net configuration files.

 

Observation

Forticlient reports the vulnerability as seen below:

CVE-2018-1285 - apache log4net vulnerability.PNG

The issue has been reported here:

Source Tree for windows - v3.4.5: security Vulnerability CVE-2018-1285 for log4net 

Add vote and watch to get it resolved in future updates.

Solution

Apache log4net should be updated to version 2.0.10 or later version in the next updates.

Suggest an answer

Log in or Sign up to answer
TAGS
AUG Leaders

Atlassian Community Events