CVE-2018-1285
XXE vulnerability in log4net (NuGet)
What is CVE-2018-1285 About?
This vulnerability in Apache log4net before 2.0.10 is an XML External Entity (XXE) injection flaw. It allows attackers to carry out XXE-based attacks by providing malicious log4net configuration files, potentially leading to information disclosure or server-side request forgery with moderate ease.
Affected Software
Technical Details
The vulnerability stems from the log4net library's failure to properly disable XML External Entity (XXE) processing when parsing its configuration files. Specifically, the XML parser used by log4net does not have the DTD processing and external entity resolution features explicitly disabled. An attacker can craft a malicious log4net configuration file containing an external entity declaration that points to a local file or a remote URL. When an application using the vulnerable log4net version processes this untrusted configuration file, the XML parser will resolve the external entity, leading to the disclosure of sensitive local files (e.g., /etc/passwd) or initiating network requests to internal or external systems (Server-Side Request Forgery - SSRF).
What is the Impact of CVE-2018-1285?
Successful exploitation may allow attackers to disclose sensitive information from the compromised system, access unauthorized resources, or perform Server-Side Request Forgery (SSRF) attacks.
What is the Exploitability of CVE-2018-1285?
Exploitation of this vulnerability typically requires the ability to supply arbitrary or untrusted log4net configuration files to an application. There are no specific authentication or privilege requirements to trigger the flaw, beyond the ability to deliver the malicious configuration. The attack is initiated remotely if the attacker can upload or provide the configuration directly to a web application, or locally if a user processes a malicious configuration. The primary constraint is the application's mechanism for loading log4net configurations; if it only loads pre-defined, trusted configurations, the risk is lower. However, if the application is designed to allow user-provided configurations, the exploit likelihood increases significantly.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| alex-ermolaev | Link | Test application for CVE-2018-1285 alert for Solarwinds DLLs |
What are the Available Fixes for CVE-2018-1285?
Available Upgrade Options
- log4net
- <2.0.10 → Upgrade to 2.0.10
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VKL2LPINAI6BCMXOH4V4HVHGLUXIWOFO/
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://www.nuget.org/packages/log4net
- https://github.com/apache/logging-log4net
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://lists.apache.org/thread.html/reab1c277c95310bad1038255e0757857b2fbe291411b4fa84552028a%40%3Cdev.logging.apache.org%3E
- https://lists.apache.org/thread.html/r00b16ac5e0bbf7009a0d167ed58f3f94d0033b0f4b3e3d5025cc4872%40%3Cdev.logging.apache.org%3E
- https://lists.apache.org/thread.html/r33564de316d4e4ba0fea1d4d079e62cde1ffe64369c1157243d840d9%40%3Cdev.logging.apache.org%3E
What are Similar Vulnerabilities to CVE-2018-1285?
Similar Vulnerabilities: CVE-2017-15707 , CVE-2017-9805 , CVE-2016-5017 , CVE-2015-0252 , CVE-2014-6590
