You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@logging.apache.org by "Erik Mavrinac (Jira)" <ji...@apache.org> on 2021/12/01 23:53:00 UTC
[jira] [Commented] (LOG4NET-679) Many systems receiving vulnerability notice for log4net.dll for multiple applications.
[ https://issues.apache.org/jira/browse/LOG4NET-679?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17452090#comment-17452090 ]
Erik Mavrinac commented on LOG4NET-679:
---------------------------------------
Per the CVE the minimum version that apps will have to move to is 2.0.10. But since distribution of log4net is not controlled by the log4net team, you need to open an issue with each product or service that is distributing the binary to get them to move to the latest, then distribute a new version to resolve your CVE scanner.
> Many systems receiving vulnerability notice for log4net.dll for multiple applications.
> --------------------------------------------------------------------------------------
>
> Key: LOG4NET-679
> URL: https://issues.apache.org/jira/browse/LOG4NET-679
> Project: Log4net
> Issue Type: Bug
> Affects Versions: 1.2.10, 2.0.8
> Environment: Windows 10
> Reporter: Marcia Williams
> Priority: Major
> Labels: patch
> Attachments: apache log4net.dll_Dameware Vuln_22nov21.PNG, apache log4net.dll_Dell Vuln_22nov21.PNG
>
>
> We have hundreds of computers that are flagging {color:#de350b}Apache log4net.dll {color}as a CRITICAL VULNERABILITY! ({*}CVE-2018-1285 for log4net{*})
> Because log4net is installed as part of many applications there is no consistent version or application that is affected. It looks like anything that uses *log4net.dll* is being flag with different versions of the .dll.
> I have looked everywhere and can not figure out how to get a patch for this. All assistance is appreciated as this is a CRITICAL level vulnerability.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)