CVE-2018-1285
9.8 CRITICAL
📋 TL;DR
Apache log4net versions before 2.0.10 have XML external entities (XXE) enabled when parsing configuration files, allowing attackers to read arbitrary files, perform server-side request forgery, or cause denial of service. This affects any application using vulnerable log4net versions that accepts attacker-controlled configuration files. The vulnerability is particularly dangerous when applications allow users to upload or specify log4net configuration files.
💻 Affected Systems
Products:
- Apache log4net
Versions: All versions before 2.0.10
Operating Systems: All operating systems running .NET applications
Default Config Vulnerable:
⚠️ Yes
Notes: Only vulnerable when applications parse log4net configuration files from untrusted sources. Applications using hardcoded or trusted configuration files are not affected.
📦 What is this software?
Fedora by Fedoraproject
Fedora by Fedoraproject
Fedora by Fedoraproject
Log4net by Apache
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution, complete system compromise, sensitive data exfiltration, and lateral movement within the network through XXE attacks.
Likely Case
Arbitrary file read from the server, server-side request forgery to internal systems, and potential denial of service through entity expansion attacks.
If Mitigated
Limited impact if configuration files are not user-controllable and proper input validation is in place.
🌐 Internet-Facing: HIGH - Applications accepting user-uploaded configuration files or allowing users to specify configuration file paths are directly exploitable.
🏢 Internal Only: MEDIUM - Internal applications could still be vulnerable if they accept configuration from untrusted internal sources.
🎯 Exploit Status
Public PoC:
⚠️ Yes
Weaponized:
LIKELY
Unauthenticated Exploit:
⚠️ Yes
Complexity:
LOW
Exploitation requires the application to parse attacker-controlled log4net configuration files. XXE attacks are well-documented and easy to implement.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.0.10 and later
Vendor Advisory: https://issues.apache.org/jira/browse/LOG4NET-575
Restart Required: Yes
Instructions:
1. Update log4net package to version 2.0.10 or later. 2. For NuGet: Update-Package log4net -Version 2.0.10. 3. Rebuild and redeploy applications. 4. Restart affected services.
🔧 Temporary Workarounds
Disable DTD processing
allConfigure XML parsers to disable DTD processing and external entity resolution
Set XmlResolver property to null in XmlReaderSettings
Set ProhibitDtd = true in XmlTextReader
Restrict configuration sources
allEnsure log4net configuration files only come from trusted, hardcoded locations
🧯 If You Can't Patch
- Implement strict input validation to reject any user-supplied configuration files
- Use application-level firewalls to block outbound connections from affected systems
🔍 How to Verify
Check if Vulnerable:
Check log4net assembly version in application binaries or configuration. Versions below 2.0.10 are vulnerable if they parse external configuration files.Check Version:
powershell: [System.Reflection.Assembly]::LoadFile('log4net.dll').GetName().VersionVerify Fix Applied:
Verify log4net version is 2.0.10 or higher in deployed applications and test that XXE payloads in configuration files are rejected.📡 Detection & Monitoring
Log Indicators:
- Unusual file access patterns from application process
- Outbound connections to unexpected internal/external systems
- XML parsing errors with external entity references
Network Indicators:
- HTTP requests to internal systems from application server
- DNS requests for unusual domains from application process
SIEM Query:
source='application_logs' AND (message CONTAINS 'file:' OR message CONTAINS 'http:' OR message CONTAINS 'ENTITY')🔗 References
- https://issues.apache.org/jira/browse/LOG4NET-575
- https://lists.apache.org/thread.html/r00b16ac5e0bbf7009a0d167ed58f3f94d0033b0f4b3e3d5025cc4872%40%3Cdev.logging.apache.org%3E
- https://lists.apache.org/thread.html/r33564de316d4e4ba0fea1d4d079e62cde1ffe64369c1157243d840d9%40%3Cdev.logging.apache.org%3E
- https://lists.apache.org/thread.html/r525cbbd7db0aef4a114cf60de8439aa285decc34904d42a7f14f39c3%40%3Cdev.logging.apache.org%3E
- https://lists.apache.org/thread.html/r6543acafca3e2d24ff4b0c364a91540cb9378977ffa8d37a03ab4b0f%40%3Cdev.logging.apache.org%3E
- https://lists.apache.org/thread.html/r7ab6b6e702f11a6f77b0db2af2d5e5532f56ae4b99b5fe73c5200b6a%40%3Cdev.logging.apache.org%3E
- https://lists.apache.org/thread.html/r9de86a185575e6c5f92e2a70a1d2e2e9514dc4341251577aac8e3866%40%3Cdev.logging.apache.org%3E
- https://lists.apache.org/thread.html/rd2d72a017e238d1f345f9d14e075c81be16fc68a41c9e9ad9e29a732%40%3Cdev.logging.apache.org%3E
- https://lists.apache.org/thread.html/rdbac24c945ca5c69cd5348b5ac023bc625768f653335de146e09ae2d%40%3Cdev.logging.apache.org%3E
- https://lists.apache.org/thread.html/reab1c277c95310bad1038255e0757857b2fbe291411b4fa84552028a%40%3Cdev.logging.apache.org%3E
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M2U233HVAQDSZ2PRG4XSGDASLY3J6ALH/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VKL2LPINAI6BCMXOH4V4HVHGLUXIWOFO/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VT2DNNSW7C7FNK3MA3SLEUHGW5USYZKE/
- https://security.netapp.com/advisory/ntap-20220909-0001/
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://issues.apache.org/jira/browse/LOG4NET-575
- https://lists.apache.org/thread.html/r00b16ac5e0bbf7009a0d167ed58f3f94d0033b0f4b3e3d5025cc4872%40%3Cdev.logging.apache.org%3E
- https://lists.apache.org/thread.html/r33564de316d4e4ba0fea1d4d079e62cde1ffe64369c1157243d840d9%40%3Cdev.logging.apache.org%3E
- https://lists.apache.org/thread.html/r525cbbd7db0aef4a114cf60de8439aa285decc34904d42a7f14f39c3%40%3Cdev.logging.apache.org%3E
- https://lists.apache.org/thread.html/r6543acafca3e2d24ff4b0c364a91540cb9378977ffa8d37a03ab4b0f%40%3Cdev.logging.apache.org%3E
- https://lists.apache.org/thread.html/r7ab6b6e702f11a6f77b0db2af2d5e5532f56ae4b99b5fe73c5200b6a%40%3Cdev.logging.apache.org%3E
- https://lists.apache.org/thread.html/r9de86a185575e6c5f92e2a70a1d2e2e9514dc4341251577aac8e3866%40%3Cdev.logging.apache.org%3E
- https://lists.apache.org/thread.html/rd2d72a017e238d1f345f9d14e075c81be16fc68a41c9e9ad9e29a732%40%3Cdev.logging.apache.org%3E
- https://lists.apache.org/thread.html/rdbac24c945ca5c69cd5348b5ac023bc625768f653335de146e09ae2d%40%3Cdev.logging.apache.org%3E
- https://lists.apache.org/thread.html/reab1c277c95310bad1038255e0757857b2fbe291411b4fa84552028a%40%3Cdev.logging.apache.org%3E
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M2U233HVAQDSZ2PRG4XSGDASLY3J6ALH/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VKL2LPINAI6BCMXOH4V4HVHGLUXIWOFO/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VT2DNNSW7C7FNK3MA3SLEUHGW5USYZKE/
- https://security.netapp.com/advisory/ntap-20220909-0001/
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujan2021.html
