**********************************EDIT1: 2024/05/06DESPITE THE "SOLVED" MARKINGS THE VULNERABILITY REMAINS. DO NOT BE FOOLED BY GOTO!********************************** Why is this ancient CVE from 2020 still present in latest (v2.2.28) GoToConnect Active Directory Connector software https://support.goto.com/connect/help/install-active-directory-connector-v2 ? C:\Program Files\Logmein\Active Directory Connector\log4net.DLL https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1285https://nvd.nist.gov/vuln/detail/CVE-2018-1285https://www.fortiguard.com/encyclopedia/endpoint-vuln/2705 I opened a ticket with support and they closed it because the developers "are working on it" 4 years later.... Is GoTo taking security seriously?

Hi HZO-GB, welcome to the community. The team is aware of this issue and it is being worked on currently. When an update is available I will share it here.

CVE-2018-1285 Apache log4net XML External Entity Vulnerability

HZO-GB
Active Contributor
5 months ago
I am getting the run-around with this 4 year old vulnerability. After multiple requests to escalate the case due to security concerns and false closures someone promised to contact the devs. Well, the software is still vulnerable, and the ticket is closed without notification, again.
GlennD
GoTo Manager
8 months ago
Hi HZO-GB, welcome to the community.

The team is aware of this issue and it is being worked on currently. When an update is available I will share it here.
- HZO-GB
  Active Contributor
  5 months ago
  GlennD can you provide an update, and also follow up on my ticket 19744340?
  - GlennD
    GoTo Manager
    5 months ago
    HZO-GB The fix has been prepared and we are working through the testing and a release plan. This is taking longer as it is for our older platform. Once it has be QA'd and a release date is confirmed I will post an update.
- HZO-GB
  Active Contributor
  6 months ago
  I know this is marked as Resolved but it is not. There is yet any fix to the vulnerability.
  - mkeaton
    Frequent Contributor
    6 months ago
    Yet another item to add to the risk assessment. Thank you HZO-GB!
- HZO-GB
  Active Contributor
  8 months ago
  Thank you GlennD for the update. My complaint is that Apache has patched the DLL since 2020, and yet in 2024 GoTo is still looking into re-compiling the connector software so the new version DLL is added o the latest version.
  
  This I find unacceptable from security practices perspective. This is one of the easiest vulnerability to remediate yet here I am opening and re-opening tickets, posting on the community forum, waiting months and vocally pushing for a patch with no ETA except "we are looking into it"

Forum Discussion

CVE-2018-1285 Apache log4net XML External Entity Vulnerability

Recent Discussions

Route only internal calls or transfers to a number per extension

Video door phones with the desktop app?

Yealink T54W with an EXP50

Auto Hang up phones when another call comes in.

Status questions - Available when logged out & Away allows calls to ring through