Product Communities
Sign In Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Getting started | Community guidelines
HZO-GB
Active Contributor

CVE-2018-1285 Apache log4net XML External Entity Vulnerability

Why is this ancient CVE from 2020 still present in latest (v2.2.28) GoToConnect Active Directory Connector software https://support.goto.com/connect/help/install-active-directory-connector-v2 ?

 

C:\Program Files\Logmein\Active Directory Connector\log4net.DLL

 

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1285

https://nvd.nist.gov/vuln/detail/CVE-2018-1285

https://www.fortiguard.com/encyclopedia/endpoint-vuln/2705

 

I opened a ticket with support and they closed it because the developers "are working on it" 4 years later.... Is GoTo taking security seriously?

 

‎02-08-2024 11:18 AM
Reply
1 ACCEPTED SOLUTION

Accepted Solutions
GlennD
GoTo Manager
GoTo Manager

Re: CVE-2018-1285 Apache log4net XML External Entity Vulnerability

Hi @HZO-GB, welcome to the community.

 

The team is aware of this issue and it is being worked on currently. When an update is available I will share it here.

 

Glenn is a member of the GoTo Community Care Team.

Was your question answered? Please mark it as an Accepted Solution.
Was a post helpful or informative? Give it a Kudo!.
Do you want a new feature added? Make sure you Kudo (vote) for the Idea

Free user and admin training

View solution in original post

‎02-08-2024 03:02 PM
0 Kudos
Reply
4 REPLIES 4
GlennD
GoTo Manager
GoTo Manager

Re: CVE-2018-1285 Apache log4net XML External Entity Vulnerability

Hi @HZO-GB, welcome to the community.

 

The team is aware of this issue and it is being worked on currently. When an update is available I will share it here.

 

Glenn is a member of the GoTo Community Care Team.

Was your question answered? Please mark it as an Accepted Solution.
Was a post helpful or informative? Give it a Kudo!.
Do you want a new feature added? Make sure you Kudo (vote) for the Idea

Free user and admin training
‎02-08-2024 03:02 PM
0 Kudos
Reply
HZO-GB
Active Contributor

Re: CVE-2018-1285 Apache log4net XML External Entity Vulnerability

Thank you @GlennD for the update. My complaint is that Apache has patched the DLL since 2020, and yet in 2024 GoTo is still looking into re-compiling the connector software so the new version DLL is added o the latest version.

 

This I find unacceptable from security practices perspective. This is one of the easiest vulnerability to remediate yet here I am opening and re-opening tickets,  posting on the community forum, waiting months and vocally pushing for a patch with no ETA except "we are looking into it"

‎02-12-2024 10:31 AM
Reply
HZO-GB
Active Contributor

Re: CVE-2018-1285 Apache log4net XML External Entity Vulnerability

I know this is marked as Resolved but it is not. There is yet any fix to the vulnerability.

‎03-25-2024 09:48 AM
0 Kudos
Reply
mkeaton
Contributor

Re: CVE-2018-1285 Apache log4net XML External Entity Vulnerability

Yet another item to add to the risk assessment.  Thank you HZO-GB!

‎03-25-2024 10:12 AM
0 Kudos
Reply
About Us
Terms of Service
NEW Privacy Policy
Trademark
© 2024 LogMeIn, Inc. All Rights Reserved