[Opensim-dev] Check if we are impacted by latest Zero-day exploiting Apache Log4j logging library
Michel Beauregard
gimisa at yahoo.fr
Tue Dec 14 17:07:36 UTC 2021
" Fred says that before Log4Net 2.0.10 it has the same bug as Log4J
according CVE-2018-1285..."
I think Fred is referring to following security test dating 2020. Where they had identify vulnerability in both 2.0.7 and 2.0.8 versions. As you can see from the patch date that has been solved last year. And fix in version 2.0.10
[LOG4NET-575] log4net function having XXE vulnerability - ASF JIR
|
|
| |
[LOG4NET-575] log4net function having XXE vulnerability - ASF JIRA
|
|
|
The JIRA list does not seem to point to anything new that would relate o Log4j Zero-Day problem.
Please consider I am not an expert , but Log4Net is NOT Log4J.
The Apache log4net library is a tool to help the programmer output log statements to a variety of output targets. log4net is a port of the excellent Apache log4j™ framework to the Microsoft® .NET runtime. Apache have kept the framework similar " in spirit " to the original log4j while taking advantage of new features in the .NET runtime.
Ref https://logging.apache.org/log4net/
GiMiSa
Le mardi 14 décembre 2021, 05 h 11 min 05 s HNE, Ai Austin <ai.ai.austin at gmail.com> a écrit :
Fred Beckhsuen gave me some useful background on this... we use
Log4Net 2.0.8.0 in OpenSim 0.9.2.0 release and 0.9.21. Dev master,
and Fred says that before Log4Net 2.0.10 it has the same bug as Log4J
according CVE-2018-1285...
https://github.com/advisories/GHSA-2cwj-8chv-9pp9
Fred also added that he did hear something about OpenSim not allowing
arbitrary anything to be injected into Log4Net. Maybe those in the
know could take a look at that.
_______________________________________________
Opensim-dev mailing list
Opensim-dev at opensimulator.org
http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-dev
More information about the Opensim-dev
mailing list