HZO-GB
Active Contributor
Joined 12 months ago
User Profile
User Widgets
Contributions
CVE-2018-1285 Apache log4net XML External Entity Vulnerability
********************************** EDIT1: 2024/05/06 DESPITE THE "SOLVED" MARKINGS THE VULNERABILITY REMAINS. DO NOT BE FOOLED BY GOTO! ********************************** Why is this ancient CVE from 2020 still present in latest (v2.2.28) GoToConnect Active Directory Connector software https://support.goto.com/connect/help/install-active-directory-connector-v2 ? C:\Program Files\Logmein\Active Directory Connector\log4net.DLL https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1285 https://nvd.nist.gov/vuln/detail/CVE-2018-1285 https://www.fortiguard.com/encyclopedia/endpoint-vuln/2705 I opened a ticket with support and they closed it because the developers "are working on it" 4 years later.... Is GoTo taking security seriously?Solved1.4KViews2likes7CommentsRe: CVE-2018-1285 Apache log4net XML External Entity Vulnerability
I am getting the run-around with this 4 year old vulnerability. After multiple requests to escalate the case due to security concerns and false closures someone promised to contact the devs. Well, the software is still vulnerable, and the ticket is closed without notification, again.1KViews0likes0CommentsRe: CVE-2018-1285 Apache log4net XML External Entity Vulnerability
Thank you GlennD for the update. My complaint is that Apache has patched the DLL since 2020, and yet in 2024 GoTo is still looking into re-compiling the connector software so the new version DLL is added o the latest version. This I find unacceptable from security practices perspective. This is one of the easiest vulnerability to remediate yet here I am opening and re-opening tickets, posting on the community forum, waiting months and vocally pushing for a patch with no ETA except "we are looking into it"1.3KViews1like0Comments