You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@logging.apache.org by "Ralph Goers (Jira)" <ji...@apache.org> on 2020/04/04 22:30:05 UTC
[jira] [Updated] (LOG4NET-282) Database Risk and PCI Compliance
with ado.net appender
[ https://issues.apache.org/jira/browse/LOG4NET-282?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Ralph Goers updated LOG4NET-282:
--------------------------------
LOG4NET is now dormant.
> Database Risk and PCI Compliance with ado.net appender
> ------------------------------------------------------
>
> Key: LOG4NET-282
> URL: https://issues.apache.org/jira/browse/LOG4NET-282
> Project: Log4net
> Issue Type: Improvement
> Components: Appenders
> Affects Versions: 1.2.9, 1.2.10
> Reporter: Tim Schwallie
> Priority: Major
> Labels: security
> Fix For: 1.2/2.0 Maintenance Release
>
>
> Per our PCI/Risk exposure reviewer, the ado.net appender in log4net is a risk. Essentially, if somebody can gain access to the config file, they can change the config file to run any query via an error.
> Obviously, there's a bigger concern if somebody can change a config file.
> The reviewer felt that with log4net being a popular tool this was a high risk cause of how easy it would be for an attacker to change it.
> Other logging tools make a call to a hard-coded stored procedure to log to a database.
> If the ado.net appender could be changed to call a fixed stored procedure and perhaps pass parameters with some fixed and maybe a concatenated string for a variable number of parameters, the risk would probably be removed. The SP would be responsible with working with the concatenated string. A formatter may be the way to go to make the concatenated string.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)