Vulnerability Details : CVE-2018-1285
Apache log4net versions before 2.0.10 do not disable XML external entities when parsing log4net configuration files. This allows for XXE-based attacks in applications that accept attacker-controlled log4net configuration files.
Vulnerability category: XML external entity (XXE) injection
Products affected by CVE-2018-1285
- cpe:2.3:a:apache:log4net:*:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:application_testing_suite:13.3.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:hospitality_simphony:18.2.7.2:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:hospitality_simphony:19.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:hospitality_opera_5:5.5:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:hospitality_opera_5:5.6:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*
- cpe:2.3:a:netapp:snapcenter:-:*:*:*:*:*:*:*
- cpe:2.3:a:netapp:manageability_software_development_kit:-:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2018-1285
49.02%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 97 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2018-1285
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST | |
|
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST |
CWE ids for CVE-2018-1285
-
The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.Assigned by: nvd@nist.gov (Primary)
References for CVE-2018-1285
-
https://lists.apache.org/thread.html/rdbac24c945ca5c69cd5348b5ac023bc625768f653335de146e09ae2d@%3Cdev.logging.apache.org%3E
log4net.dll - does 2.0.9 fix CVE-2018-1285 - Pony MailMailing List;Vendor Advisory
-
https://www.oracle.com/security-alerts/cpuapr2022.html
Oracle Critical Patch Update Advisory - April 2022Patch;Third Party Advisory
-
https://lists.apache.org/thread.html/r6543acafca3e2d24ff4b0c364a91540cb9378977ffa8d37a03ab4b0f@%3Cdev.logging.apache.org%3E
Pony Mail!Mailing List;Vendor Advisory
-
https://security.netapp.com/advisory/ntap-20220909-0001/
CVE-2018-1285 Apache Log4net Vulnerability in NetApp Products | NetApp Product SecurityThird Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VKL2LPINAI6BCMXOH4V4HVHGLUXIWOFO/
[SECURITY] Fedora 32 Update: log4net-2.0.8-10.fc32 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VT2DNNSW7C7FNK3MA3SLEUHGW5USYZKE/
[SECURITY] Fedora 31 Update: log4net-2.0.8-10.fc31 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://www.oracle.com/security-alerts/cpujan2021.html
Oracle Critical Patch Update Advisory - January 2021Third Party Advisory
-
https://lists.apache.org/thread.html/r9de86a185575e6c5f92e2a70a1d2e2e9514dc4341251577aac8e3866@%3Cdev.logging.apache.org%3E
Re: [CVE-2018-1285] XXE vulnerability in Apache log4net - Pony MailMailing List;Vendor Advisory
-
https://www.oracle.com/security-alerts/cpuApr2021.html
Oracle Critical Patch Update Advisory - April 2021Third Party Advisory
-
https://issues.apache.org/jira/browse/LOG4NET-575
[LOG4NET-575] log4net function having XXE vulnerability - ASF JIRAIssue Tracking;Vendor Advisory
-
https://lists.apache.org/thread.html/r00b16ac5e0bbf7009a0d167ed58f3f94d0033b0f4b3e3d5025cc4872@%3Cdev.logging.apache.org%3E
[VOTE] [log4net] Release 2.0.10 - Pony MailMailing List;Vendor Advisory
-
https://lists.apache.org/thread.html/r7ab6b6e702f11a6f77b0db2af2d5e5532f56ae4b99b5fe73c5200b6a@%3Cdev.logging.apache.org%3E
Re: [CVE-2018-1285] XXE vulnerability in Apache log4net - Pony MailMailing List;Vendor Advisory
-
https://lists.apache.org/thread.html/r33564de316d4e4ba0fea1d4d079e62cde1ffe64369c1157243d840d9@%3Cdev.logging.apache.org%3E
[CVE-2018-1285] XXE vulnerability in Apache log4net - Pony MailMailing List;Vendor Advisory
-
https://lists.apache.org/thread.html/reab1c277c95310bad1038255e0757857b2fbe291411b4fa84552028a%40%3Cdev.logging.apache.org%3E
[CVE-2018-1285] XXE vulnerability in Apache log4net - Pony MailMailing List;Vendor Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M2U233HVAQDSZ2PRG4XSGDASLY3J6ALH/
[SECURITY] Fedora 30 Update: log4net-2.0.8-10.fc30 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://lists.apache.org/thread.html/r525cbbd7db0aef4a114cf60de8439aa285decc34904d42a7f14f39c3@%3Cdev.logging.apache.org%3E
Solution for vulnerability - Pony MailMailing List;Vendor Advisory
-
https://lists.apache.org/thread.html/rd2d72a017e238d1f345f9d14e075c81be16fc68a41c9e9ad9e29a732@%3Cdev.logging.apache.org%3E
Re: log4net.dll - does 2.0.9 fix CVE-2018-1285 - Pony MailMailing List;Vendor Advisory
Jump to