What is CVE-2018-1285?

CVE-2018-1285 is a vulnerability in Apache Log4net. Published 2020-05-11.

Is CVE-2018-1285 known to be exploited?

11 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Vulnerability in Apache Log4net

CVE-2018-1285

Apache log4net versions before 2.0.10 do not disable XML external entities when parsing log4net configuration files. This allows for XXE-based attacks in applications that accept attacker-controlled log4net configuration files.

EPSS: 0.656 (98.5th percentile) — read the EPSS interpretation.

Affected products

N/a Apache Log4net — versions Apache log4net up to 2.0.8

Public proof-of-concept exploits

References

FEDORA-2020-cfc319e067 (x_refsource_FEDORA, vendor-advisory)
FEDORA-2020-73d380e9b9 (x_refsource_FEDORA, vendor-advisory)
FEDORA-2020-847775bf79 (x_refsource_FEDORA, vendor-advisory)
[logging-dev] 20200525 [CVE-2018-1285] XXE vulnerability in Apache log4net (mailing-list, x_refsource_MLIST)
[logging-dev] 20200525 Re: [CVE-2018-1285] XXE vulnerability in Apache log4net (mailing-list, x_refsource_MLIST)
[logging-dev] 20200617 Re: [CVE-2018-1285] XXE vulnerability in Apache log4net (mailing-list, x_refsource_MLIST)
[logging-dev] 20200730 Re: [CVE-2018-1285] XXE vulnerability in Apache log4net (mailing-list, x_refsource_MLIST)
[logging-dev] 20200826 log4net.dll - does 2.0.9 fix CVE-2018-1285 (mailing-list, x_refsource_MLIST)
[logging-dev] 20200826 Re: log4net.dll - does 2.0.9 fix CVE-2018-1285 (mailing-list, x_refsource_MLIST)
[logging-dev] 20200906 [VOTE] [log4net] Release 2.0.10 (mailing-list, x_refsource_MLIST)

Frequently asked questions

What is CVE-2018-1285?: CVE-2018-1285 is a vulnerability in Apache Log4net. Published 2020-05-11.
Is CVE-2018-1285 known to be exploited?: 11 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.