Bug 1172193 – VUL-0: CVE-2018-1285: log4net: XXE in applications that accept arbitrary configuration files from users

Bug 1172193 - (CVE-2018-1285) VUL-0: CVE-2018-1285: log4net: XXE in applications that accept arbitrary configuration files from users

(CVE-2018-1285)
Summary:	VUL-0: CVE-2018-1285: log4net: XXE in applications that accept arbitrary conf...

Status:	NEW

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/259369/
Whiteboard:	CVSSv3.1:SUSE:CVE-2018-1285:6.3:(AV:N...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2020-05-27 14:39 UTC by Alexandros Toptsoglou
Modified:	2022-10-19 03:51 UTC (History)
CC List:	5 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Alexandros Toptsoglou 2020-05-27 14:39:27 UTC

CVE-2018-1285

Apache log4net before 2.0.8 does not disable XML external entities when parsing log4net configuration files. This could allow for XXE-based attacks in applications that accept arbitrary configuration files from users.

References:
https://issues.apache.org/jira/browse/LOG4NET-575
https://github.com/apache/logging-log4net/commit/d0b4b0157d4af36b23c24a23739c47925c3bd8d7

Comment 1 Alexandros Toptsoglou 2020-05-27 14:40:48 UTC

Tracked SLE11, Leap 15.1 and Factory as affected

Comment 4 OBSbugzilla Bot 2022-09-07 08:40:03 UTC

This is an autogenerated message for OBS integration:
This bug (1172193) was mentioned in
https://build.opensuse.org/request/show/1001652 15.4 / log4net

Comment 7 Yifan Jiang 2022-09-08 01:54:14 UTC

The version deviation is huge nowadays compared to what we have in our projects. So it would be better if anyone could take a technical review of the backport in the comments right above (which I think it is safe :-)).

Comment 8 Thomas Leroy 2022-09-08 07:10:01 UTC

(In reply to Yifan Jiang from comment #7)
> The version deviation is huge nowadays compared to what we have in our
> projects. So it would be better if anyone could take a technical review of
> the backport in the comments right above (which I think it is safe :-)).

ProhibitDtd seems deprecated for new .NET versions. Are you sure DtdProcessing couldn't be used here? Otherwise, it's fine from a security side. Feel free to add a technical reviewer to this ticket if you want further review :)

Comment 9 Jia Zhaocong 2022-10-19 03:51:19 UTC

Cleaning up GNOME CVE backlog. The fix has been submitted and accepted. Assign
back to security team.