You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@logging.apache.org by "Venkamsetty, VenkataRao" <Ve...@Honeywell.Com.INVALID> on 2020/06/17 14:50:23 UTC

Re: [CVE-2018-1285] XXE vulnerability in Apache log4net

Why this is an issue if the configuration file is loaded from trusted source?

On 2020/05/25 16:28:20, Suthish Nair <s....@gmail.com> wrote:
> Hi,>
>
> Good Day!>
>
> Is there any mitigation or vulnerability fix available for .NET Core>
> frameworks?>
>
> Please let me know.>
>
> Regards>
> Suthish>
>

Re: [CVE-2018-1285] XXE vulnerability in Apache log4net

Posted by Dominik Psenner <dp...@gmail.com>.

An important note to make is that even if the file is loaded from a trusted
source, it should reference only files that come from trusted sources. DTD
statements may slip through in this consideration. Note further that
"https://" is not a warranty for a trusted source, it only guarantees a
secure transportation of information. The contents that are transported may
be tampered with.

On Wed, 17 Jun 2020 at 17:13, Matt Sicker <bo...@gmail.com> wrote:

> It's not an issue if the config file is a trusted source. It's
> generally not a good idea to do that in the first place, either.
>
> On Wed, 17 Jun 2020 at 09:56, Venkamsetty, VenkataRao
> <Ve...@honeywell.com.invalid> wrote:
> >
> > Why this is an issue if the configuration file is loaded from trusted
> source?
> >
> > On 2020/05/25 16:28:20, Suthish Nair <s....@gmail.com> wrote:
> > > Hi,>
> > >
> > > Good Day!>
> > >
> > > Is there any mitigation or vulnerability fix available for .NET Core>
> > > frameworks?>
> > >
> > > Please let me know.>
> > >
> > > Regards>
> > > Suthish>
> > >
>
>
>
> --
> Matt Sicker <bo...@gmail.com>
>

-- 
Dominik Psenner

Re: [CVE-2018-1285] XXE vulnerability in Apache log4net

Posted by Matt Sicker <bo...@gmail.com>.

It's not an issue if the config file is a trusted source. It's
generally not a good idea to do that in the first place, either.

On Wed, 17 Jun 2020 at 09:56, Venkamsetty, VenkataRao
<Ve...@honeywell.com.invalid> wrote:
>
> Why this is an issue if the configuration file is loaded from trusted source?
>
> On 2020/05/25 16:28:20, Suthish Nair <s....@gmail.com> wrote:
> > Hi,>
> >
> > Good Day!>
> >
> > Is there any mitigation or vulnerability fix available for .NET Core>
> > frameworks?>
> >
> > Please let me know.>
> >
> > Regards>
> > Suthish>
> >



-- 
Matt Sicker <bo...@gmail.com>