[Opensim-dev] Log4J (Ferd Frederix/Fred Beckhusen)
Cinder Roxley
cinder at alchemyviewer.org
Wed Dec 15 23:18:13 UTC 2021
https://www.cvedetails.com/vulnerability-list.php?vendor_id=45&product_id=7281&version_id=0&page=1&hasexp=0&opdos=0&opec=0&opov=0&opcsrf=0&opgpriv=0&opsqli=0&opxss=0&opdirt=0&opmemc=0&ophttprs=0&opbyp=0&opfileinc=0&opginf=0&cvssscoremin=0&cvssscoremax=0&year=0&cweid=0&order=1&trc=2&sha=f70b070c708ceeabfdce6d62f53aef9c82924571
--
Sent from Canary (https://canarymail.io)
> On Wednesday, Dec 15, 2021 at 5:15 PM, Dahlia Trimble <dahliatrimble at gmail.com (mailto:dahliatrimble at gmail.com)> wrote:
> > Github's Dependabot says very publicly that our Log4Net.dll has an XXE
> vulnerability.
>
> This is eluding my google-fu and I can't find anything about it. Have a
> link?
>
> -D
>
> On Wed, Dec 15, 2021 at 10:00 AM Fred Beckhusen <fred at mitsi.com> wrote:
>
> > Github's Dependabot says very publicly that our Log4Net.dll has an XXE
> > vulnerability. That's the issue.
> >
> > We don't load Robust.exe.config or Opensim.exe.config with user supplied
> > data, so AFAIK, we don't have a exploitable security issue. But that
> > may not matter. IT professionals will be much more sensitive to XXE
> > after their Log4J remediation efforts.
> >
> > We all know that the major sponsors of Opensim are Universities. Their
> > IT departments are under attack.
> >
> > ~ Fred
> >
> >
> > _______________________________________________
> > Opensim-dev mailing list
> > Opensim-dev at opensimulator.org
> > http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-dev
> _______________________________________________
> Opensim-dev mailing list
> Opensim-dev at opensimulator.org
> http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-dev
More information about the Opensim-dev
mailing list