You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@logging.apache.org by "Dominik Psenner (JIRA)" <ji...@apache.org> on 2017/09/11 20:27:00 UTC
[jira] [Commented] (LOG4NET-575) log4net function having XXE
vulnerability
[ https://issues.apache.org/jira/browse/LOG4NET-575?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16161928#comment-16161928 ]
Dominik Psenner commented on LOG4NET-575:
-----------------------------------------
Hi,
Thanks for your report. We take security issues very serious and are evaluating possible attack vectors. Please redirect further discussion and information to the logging pmc mailing list. Would you please send an email there so that we have a way to stay in contact?
Best regards,
Dominik
> log4net function having XXE vulnerability
> ------------------------------------------
>
> Key: LOG4NET-575
> URL: https://issues.apache.org/jira/browse/LOG4NET-575
> Project: Log4net
> Issue Type: Improvement
> Components: Core
> Affects Versions: 2.0.7, 2.0.8
> Environment: Windows 7, C#, nuget, .NET 4.5 and Visual Studio 2012.
> Reporter: karthik kumar balasundaram
> Labels: patch
> Fix For: 2.0.7, 2.0.8
>
> Attachments: veracode_report.jpg
>
>
> Recently we ran veracode (security tool) for our application. Veracode gave us the report that log4net function 'void InternalConfigure(Repository.ILoggerRepository, System.IO.Stream)' has Improper Restriction of XML External Entity Reference (XXE) error. We are seeing this vulnerability in both 2.0.7 and 2.0.8 versions.
> Attached screenshot for further reference.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)