Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

XML External Entity attack in log4net (CVE-2018-1285) #869

Closed
MarkusGeigerDev opened this issue Aug 4, 2021 · 1 comment
Closed

XML External Entity attack in log4net (CVE-2018-1285) #869

MarkusGeigerDev opened this issue Aug 4, 2021 · 1 comment
Labels
Improvement Issues that enhances existing functionality, or adds new features Security Issues that are related to security vulnerabilites, or other security related problems
Milestone
0.19.0

Comments

@MarkusGeigerDev
Copy link

The dependency log4net.dll in version 1.2.13.0 (probably pulled in indirectly, since ChocolateyGui uses Serilog) fails to disable XML external entities when parsing log4net configuration files. This allows for XXE-based attacks in applications that accept attacker-controlled log4net configuration files.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1285

Work around / mitigation

      <dependentAssembly>
        <assemblyIdentity name="log4net" publicKeyToken="669e0ddf0bb1aa2a" culture="neutral" />
        <bindingRedirect oldVersion="0.0.0.0-2.0.11.0" newVersion="2.0.12.0" />
      </dependentAssembly>
@gep13 gep13 changed the title Critical XXE vulnerabililty in Chocolatey Gui due to outdated version 1.2.13.0 of log4net XML External Entity attack in log4net (CVE-2018-1285) Sep 2, 2021
@gep13 gep13 added REQUIRES DEPENDENCY UPDATE Security Issues that are related to security vulnerabilites, or other security related problems labels Sep 2, 2021
@gep13 gep13 modified the milestones: 0.20.0, 0.19.0 Sep 2, 2021
gep13 added a commit that referenced this issue Sep 6, 2021
@gep13
(#869) Update to use latest version of log4net
6f0302f 
This addresses a security finding, CVE-2018-1285, which was reported in
earlier version of log4net.  This also matches the version of log4net
that is used in the Chocolatey CLI.
@gep13 gep13 closed this as completed Sep 6, 2021
@gep13 gep13 added REQUIRES DEPENDENCY UPDATE Improvement Issues that enhances existing functionality, or adds new features and removed REQUIRES DEPENDENCY UPDATE labels Sep 6, 2021
gep13 added a commit that referenced this issue Sep 6, 2021
@gep13
Merge branch 'release/0.19.0'
03ce669 
* release/0.19.0:
  (#882) Make use of OSS Export Command
  (#883 #884) Add package parameters for features
  (#884) Add feature toggle for Update All button
  (#884) Add feature toggle for This PC source
  (#881) Add IsUpgradeAllCommandAllowed to interface
  (#882) Use latest chocolatey.lib nuget package
  (#869) Update to use latest version of log4net
  (#882) Bump chocolatey dependency
gep13 added a commit that referenced this issue Sep 6, 2021
@gep13
Merge branch 'release/0.19.0' into develop
a741449 
* release/0.19.0:
  (maint) Reduce description to below 4000 chars
  (#882) Make use of OSS Export Command
  (#883 #884) Add package parameters for features
  (#884) Add feature toggle for Update All button
  (#884) Add feature toggle for This PC source
  (#881) Add IsUpgradeAllCommandAllowed to interface
  (#882) Use latest chocolatey.lib nuget package
  (#869) Update to use latest version of log4net
  (#882) Bump chocolatey dependency
@choco-bot
Copy link

🎉 This issue has been resolved in version 0.19.0 🎉

The release is available on:

Your GitReleaseManager bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Improvement Issues that enhances existing functionality, or adds new features Security Issues that are related to security vulnerabilites, or other security related problems
Projects
None yet
Milestone
0.19.0
Development

No branches or pull requests
3 participants
@gep13 @choco-bot @MarkusGeigerDev