Why is this ancient CVE from 2020 still present in latest (v2.2.28) GoToConnect Active Directory Connector software https://support.goto.com/connect/help/install-active-directory-connector-v2 ?
C:\Program Files\Logmein\Active Directory Connector\log4net.DLL
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1285
https://nvd.nist.gov/vuln/detail/CVE-2018-1285
https://www.fortiguard.com/encyclopedia/endpoint-vuln/2705
I opened a ticket with support and they closed it because the developers "are working on it" 4 years later.... Is GoTo taking security seriously?
Solved! Go to Solution.
Hi @HZO-GB, welcome to the community.
The team is aware of this issue and it is being worked on currently. When an update is available I will share it here.
Hi @HZO-GB, welcome to the community.
The team is aware of this issue and it is being worked on currently. When an update is available I will share it here.
Thank you @GlennD for the update. My complaint is that Apache has patched the DLL since 2020, and yet in 2024 GoTo is still looking into re-compiling the connector software so the new version DLL is added o the latest version.
This I find unacceptable from security practices perspective. This is one of the easiest vulnerability to remediate yet here I am opening and re-opening tickets, posting on the community forum, waiting months and vocally pushing for a patch with no ETA except "we are looking into it"
I know this is marked as Resolved but it is not. There is yet any fix to the vulnerability.
Yet another item to add to the risk assessment. Thank you HZO-GB!