Exciting changes are coming as we upgrade our community website. You may notice a fresh new look and some differences in how things work. We will post more details soon and can’t wait to welcome you to our improved space!

Forum Discussion

HZO-GB's avatar
HZO-GB
Active Contributor
2 years ago
Solved

CVE-2018-1285 Apache log4net XML External Entity Vulnerability

********************************** EDIT1: 2024/05/06 DESPITE THE "SOLVED" MARKINGS THE VULNERABILITY REMAINS. DO NOT BE FOOLED BY GOTO! **********************************   Why is this ancient C...
  • GlennD's avatar
    GlennD
    2 years ago

    Hi HZO-GB, welcome to the community.

     

    The team is aware of this issue and it is being worked on currently. When an update is available I will share it here.

     

GlennD's avatar
GlennD
GoTo Manager
2 years ago

Hi HZO-GB, welcome to the community.

 

The team is aware of this issue and it is being worked on currently. When an update is available I will share it here.

 

  • HZO-GB's avatar
    HZO-GB
    Active Contributor
    2 years ago

    GlennD  can you provide an update, and also follow up on my ticket 19744340?

    • GlennD's avatar
      GlennD
      GoTo Manager
      2 years ago

      HZO-GB The fix has been prepared and we are working through the testing and a release plan. This is taking longer as it is for our older platform. Once it has be QA'd and a release date is confirmed I will post an update.

       

  • HZO-GB's avatar
    HZO-GB
    Active Contributor
    2 years ago

    I know this is marked as Resolved but it is not. There is yet any fix to the vulnerability.

    • mkeaton's avatar
      mkeaton
      Frequent Contributor
      2 years ago

      Yet another item to add to the risk assessment.  Thank you HZO-GB!

  • HZO-GB's avatar
    HZO-GB
    Active Contributor
    2 years ago

    Thank you GlennD for the update. My complaint is that Apache has patched the DLL since 2020, and yet in 2024 GoTo is still looking into re-compiling the connector software so the new version DLL is added o the latest version.

     

    This I find unacceptable from security practices perspective. This is one of the easiest vulnerability to remediate yet here I am opening and re-opening tickets,  posting on the community forum, waiting months and vocally pushing for a patch with no ETA except "we are looking into it"