CVE-2018-1285

Published: May 11, 2020Modified: Nov 21, 2024

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

Apache log4net versions before 2.0.10 do not disable XML external entities when parsing log4net configuration files. This allows for XXE-based attacks in applications that accept attacker-controlled log4net configuration files.

Affected (11)

Products: Apache: Log4net · Fedoraproject: Fedora · Oracle: Application Testing Suite, Hospitality Opera 5, Hospitality Simphony · +1 more

Show all products

Apache: Log4net · Fedoraproject: Fedora · Oracle: Application Testing Suite, Hospitality Opera 5, Hospitality Simphony · Netapp: Manageability Software Development Kit, Snapcenter

1 product

1 product

3 products

Application Testing Suite

Hospitality Opera 5

Hospitality Simphony

2 products

Manageability Software Development Kit

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Apache Log4net	Before 2.0.10

Configuration B

3 vulnerable

Vulnerable Software	Affected Versions
Fedoraproject Fedora	Version 30
Fedoraproject Fedora	Version 31
Fedoraproject Fedora	Version 32

Configuration C

5 vulnerable

Vulnerable Software	Affected Versions
Oracle Application Testing Suite	Version 13.3.0.1
Oracle Hospitality Opera 5	Version 5.5
Oracle Hospitality Opera 5	Version 5.6
Oracle Hospitality Simphony	Version 18.2.7.2
Oracle Hospitality Simphony	Version 19.1.3

Configuration D

2 vulnerable

Vulnerable Software	Affected Versions
Netapp Manageability Software Development Kit	All versions
Netapp Snapcenter	All versions

Related CWEs

Improper Restriction of XML External Entity Reference

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

References (34)

https://issues.apache.org/jira/browse/LOG4NET-575

Source: security@apache.org

Issue TrackingVendor Advisory

https://lists.apache.org/thread.html/r00b16ac5e0bbf7009a0d167ed58f3f94d0033b0f4b3e3d5025cc4872%40%3Cdev.logging.apache.org%3E

Source: security@apache.org

https://lists.apache.org/thread.html/r33564de316d4e4ba0fea1d4d079e62cde1ffe64369c1157243d840d9%40%3Cdev.logging.apache.org%3E

Source: security@apache.org

https://lists.apache.org/thread.html/r525cbbd7db0aef4a114cf60de8439aa285decc34904d42a7f14f39c3%40%3Cdev.logging.apache.org%3E

Source: security@apache.org

https://lists.apache.org/thread.html/r6543acafca3e2d24ff4b0c364a91540cb9378977ffa8d37a03ab4b0f%40%3Cdev.logging.apache.org%3E

Source: security@apache.org

https://lists.apache.org/thread.html/r7ab6b6e702f11a6f77b0db2af2d5e5532f56ae4b99b5fe73c5200b6a%40%3Cdev.logging.apache.org%3E

Source: security@apache.org

https://lists.apache.org/thread.html/r9de86a185575e6c5f92e2a70a1d2e2e9514dc4341251577aac8e3866%40%3Cdev.logging.apache.org%3E

Source: security@apache.org

https://lists.apache.org/thread.html/rd2d72a017e238d1f345f9d14e075c81be16fc68a41c9e9ad9e29a732%40%3Cdev.logging.apache.org%3E

Source: security@apache.org

https://lists.apache.org/thread.html/rdbac24c945ca5c69cd5348b5ac023bc625768f653335de146e09ae2d%40%3Cdev.logging.apache.org%3E

Source: security@apache.org

https://lists.apache.org/thread.html/reab1c277c95310bad1038255e0757857b2fbe291411b4fa84552028a%40%3Cdev.logging.apache.org%3E

Source: security@apache.org

Mailing ListVendor Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M2U233HVAQDSZ2PRG4XSGDASLY3J6ALH/

Source: security@apache.org

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VKL2LPINAI6BCMXOH4V4HVHGLUXIWOFO/

Source: security@apache.org

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VT2DNNSW7C7FNK3MA3SLEUHGW5USYZKE/

Source: security@apache.org

https://security.netapp.com/advisory/ntap-20220909-0001/

Source: security@apache.org

Third Party Advisory

https://www.oracle.com/security-alerts/cpuApr2021.html

Source: security@apache.org

Third Party Advisory

https://www.oracle.com/security-alerts/cpuapr2022.html

Source: security@apache.org

PatchThird Party Advisory

https://www.oracle.com/security-alerts/cpujan2021.html

Source: security@apache.org

Third Party Advisory

https://issues.apache.org/jira/browse/LOG4NET-575

Source: af854a3a-2127-422b-91ae-364da2661108

Issue TrackingVendor Advisory

https://lists.apache.org/thread.html/r00b16ac5e0bbf7009a0d167ed58f3f94d0033b0f4b3e3d5025cc4872%40%3Cdev.logging.apache.org%3E

Source: af854a3a-2127-422b-91ae-364da2661108

https://lists.apache.org/thread.html/r33564de316d4e4ba0fea1d4d079e62cde1ffe64369c1157243d840d9%40%3Cdev.logging.apache.org%3E

Source: af854a3a-2127-422b-91ae-364da2661108

https://lists.apache.org/thread.html/r525cbbd7db0aef4a114cf60de8439aa285decc34904d42a7f14f39c3%40%3Cdev.logging.apache.org%3E

Source: af854a3a-2127-422b-91ae-364da2661108

https://lists.apache.org/thread.html/r6543acafca3e2d24ff4b0c364a91540cb9378977ffa8d37a03ab4b0f%40%3Cdev.logging.apache.org%3E

Source: af854a3a-2127-422b-91ae-364da2661108

https://lists.apache.org/thread.html/r7ab6b6e702f11a6f77b0db2af2d5e5532f56ae4b99b5fe73c5200b6a%40%3Cdev.logging.apache.org%3E

Source: af854a3a-2127-422b-91ae-364da2661108

https://lists.apache.org/thread.html/r9de86a185575e6c5f92e2a70a1d2e2e9514dc4341251577aac8e3866%40%3Cdev.logging.apache.org%3E

Source: af854a3a-2127-422b-91ae-364da2661108

https://lists.apache.org/thread.html/rd2d72a017e238d1f345f9d14e075c81be16fc68a41c9e9ad9e29a732%40%3Cdev.logging.apache.org%3E

Source: af854a3a-2127-422b-91ae-364da2661108

https://lists.apache.org/thread.html/rdbac24c945ca5c69cd5348b5ac023bc625768f653335de146e09ae2d%40%3Cdev.logging.apache.org%3E

Source: af854a3a-2127-422b-91ae-364da2661108

https://lists.apache.org/thread.html/reab1c277c95310bad1038255e0757857b2fbe291411b4fa84552028a%40%3Cdev.logging.apache.org%3E

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListVendor Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M2U233HVAQDSZ2PRG4XSGDASLY3J6ALH/

Source: af854a3a-2127-422b-91ae-364da2661108

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VKL2LPINAI6BCMXOH4V4HVHGLUXIWOFO/

Source: af854a3a-2127-422b-91ae-364da2661108

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VT2DNNSW7C7FNK3MA3SLEUHGW5USYZKE/

Source: af854a3a-2127-422b-91ae-364da2661108

https://security.netapp.com/advisory/ntap-20220909-0001/

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://www.oracle.com/security-alerts/cpuApr2021.html

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://www.oracle.com/security-alerts/cpuapr2022.html

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://www.oracle.com/security-alerts/cpujan2021.html

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.