Apache log4net before 2.0.8 does not disable XML external entities when parsing log4net configuration files. This could allow for XXE-based attacks in applications that accept arbitrary configuration files from users. References: https://issues.apache.org/jira/browse/LOG4NET-575 https://lists.apache.org/thread.html/reab1c277c95310bad1038255e0757857b2fbe291411b4fa84552028a%40%3Cdev.logging.apache.org%3E
As far as I can see, we are using version 2.0.8 in all supported Fedora releases and in Epel 7 and 8: We don't have a package in Epel 6. https://apps.fedoraproject.org/packages/log4net
@Guilherme: you wrote "before 2.0.8", but the Apache issue says "Affected: log4net up to 2.0.8" Here is the patch that fixes it: https://github.com/apache/logging-log4net/commit/d0b4b01 I will apply this to the packages.
In reply to comment #2: > @Guilherme: you wrote "before 2.0.8", but the Apache issue says "Affected: > log4net up to 2.0.8" > > Here is the patch that fixes it: > https://github.com/apache/logging-log4net/commit/d0b4b01 > > I will apply this to the packages. This is the way it was reported to Mitre[1]. Since the package is affected by this issue I will create Fedora and EPEL trackers for it. Thanks. [1]. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1285
Created log4net tracking bugs for this issue: Affects: epel-all [bug 1836222] Affects: fedora-all [bug 1836221]
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.