cancel
Showing results for 
Search instead for 
Did you mean: 
HZO-GB
New Contributor

CVE-2018-1285 Apache log4net XML External Entity Vulnerability

Why is this ancient CVE from 2020 still present in latest (v2.2.28) GoToConnect Active Directory Connector software https://support.goto.com/connect/help/install-active-directory-connector-v2 ?

 

C:\Program Files\Logmein\Active Directory Connector\log4net.DLL

 

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1285

https://nvd.nist.gov/vuln/detail/CVE-2018-1285

https://www.fortiguard.com/encyclopedia/endpoint-vuln/2705

 

I opened a ticket with support and they closed it because the developers "are working on it" 4 years later.... Is GoTo taking security seriously?

 

2 REPLIES 2
GlennD
GoTo Manager

Re: CVE-2018-1285 Apache log4net XML External Entity Vulnerability

Hi @HZO-GB, welcome to the community.

 

The team is aware of this issue and it is being worked on currently. When an update is available I will share it here.

 

Glenn is a member of the GoTo Community Care Team.

Was your question answered? Please mark it as an Accepted Solution.
Was a post helpful or informative? Give it a Kudo!.

Free new user and admin training
HZO-GB
New Contributor

Re: CVE-2018-1285 Apache log4net XML External Entity Vulnerability

Thank you @GlennD for the update. My complaint is that Apache has patched the DLL since 2020, and yet in 2024 GoTo is still looking into re-compiling the connector software so the new version DLL is added o the latest version.

 

This I find unacceptable from security practices perspective. This is one of the easiest vulnerability to remediate yet here I am opening and re-opening tickets,  posting on the community forum, waiting months and vocally pushing for a patch with no ETA except "we are looking into it"