Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

log4net.dll Security Vulnerability #660

Open
YoniTigris opened this issue Jan 16, 2023 · 2 comments
Open

log4net.dll Security Vulnerability #660

YoniTigris opened this issue Jan 16, 2023 · 2 comments

Comments

@YoniTigris
Copy link

Fortinet FortiClient Vulnerability Scan reported the files:
C:\Program Files (x86)\Google\Cloud SDK\google-cloud-sdk\platform\PowerShell\GoogleCloud\1.0.1.10\fullclr\log4net.dll
C:\Program Files (x86)\Google\Cloud SDK\google-cloud-sdk\platform\PowerShell\GoogleCloudBeta\1.0.1.10\fullclr\log4net.dll
Contain Security Vulnerability CVE-2018-1285 for log4net.
How to upgrade log4net to 2.0.10 or higher?

Thanks in advance :-)
@BigMacIT
Copy link

BigMacIT commented Sep 4, 2024

Critical Security Vulnerability in log4net.dll (CVE-2018-1285)

Issue Details

I've identified a critical security vulnerability in the Google Cloud SDK installation:

  • File: \Program Files (x86)\Google\Cloud SDK\google-cloud-sdk\platform\PowerShell\GoogleCloudBeta\1.0.1.10\fullclr\log4net.dll
  • Current Version: 2.0.7.0
  • Vulnerability: CVE-2018-1285
  • Severity: CRITICAL
  • CVSS Score: 9.8
  • CVSS Exploitability Score: 3.9
  • Fixed Version: 2.0.10
  • Source: NVD - CVE-2018-1285

This vulnerability in log4net allows attackers to execute arbitrary code via a crafted serialized object in the data stream. Given its critical severity and high exploitability score, this poses a significant security risk.

Steps to Reproduce

  1. Install Google Cloud SDK
  2. Navigate to the path mentioned above
  3. Check the version of log4net.dll (2.0.7.0)

Expected Behavior

The SDK should include the patched version of log4net.dll (2.0.10 or later) to mitigate this vulnerability.

Actual Behavior

The SDK includes an outdated and vulnerable version of log4net.dll (2.0.7.0).

Impact

This vulnerability could potentially allow malicious actors to execute arbitrary code, compromising the security of systems using the Google Cloud SDK.

Proposed Solution

  1. Update the bundled log4net.dll to version 2.0.10 or later in the Google Cloud SDK package.
  2. Implement a process for regular security audits of third-party dependencies in the SDK.
  3. Consider adding an auto-update feature for critical security patches in SDK components.

This issue requires urgent attention due to its severity. Could you please provide an update on when we can expect a fix for this vulnerability?

Thank you for your prompt attention to this critical security matter.

@pberenyi
Copy link

pberenyi commented Dec 3, 2024

After nearly 2 years, this is still open. If the library is not used for anything, why to include it? If it is used for something why not upgrade to a non-vulnerable version?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@pberenyi @YoniTigris @BigMacIT