CVE-2018-1285

Name of the Vulnerable Software and Affected Versions Apache log4net versions prior to 2.0.10

Description The issue is related to errors in restricting XML links to external objects (XXE) in the log4net logging library on the .NET Framework platform. Exploitation of this issue may allow a remote attacker to impact the confidentiality, integrity, and availability of protected information. This could enable XXE-based attacks in applications that accept arbitrary configuration files from users.

Recommendations For Apache log4net versions prior to 2.0.10, update to version 2.0.10 or later to resolve the issue. As a temporary workaround, consider disabling the parsing of XML external entities when handling log4net configuration files to minimize the risk of exploitation. Restrict access to log4net configuration files to prevent attackers from providing malicious input.