CVE-2018-1285 Apache log4net XML External Entity Vulnerability

**********************************

EDIT1: 2024/05/06

DESPITE THE "SOLVED" MARKINGS THE VULNERABILITY REMAINS. DO NOT BE FOOLED BY GOTO!

**********************************

Why is this ancient CVE from 2020 still present in latest (v2.2.28) GoToConnect Active Directory Connector software https://support.goto.com/connect/help/install-active-directory-connector-v2 ?

C:\Program Files\Logmein\Active Directory Connector\log4net.DLL

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1285

https://nvd.nist.gov/vuln/detail/CVE-2018-1285

https://www.fortiguard.com/encyclopedia/endpoint-vuln/2705

I opened a ticket with support and they closed it because the developers "are working on it" 4 years later.... Is GoTo taking security seriously?

Find more posts tagged with

Accepted answers

GlennD

Hi @HZO-GB, welcome to the community.

The team is aware of this issue and it is being worked on currently. When an update is available I will share it here.

All comments

GlennD

@HZO-GB The fix has been prepared and we are working through the testing and a release plan. This is taking longer as it is for our older platform. Once it has be QA'd and a release date is confirmed I will post an update.

HZO-GB

@GlennD can you provide an update, and also follow up on my ticket 19744340?

HZO-GB

I am getting the run-around with this 4 year old vulnerability. After multiple requests to escalate the case due to security concerns and false closures someone promised to contact the devs. Well, the software is still vulnerable, and the ticket is closed without notification, again.

mkeaton

Yet another item to add to the risk assessment. Thank you HZO-GB!

HZO-GB

I know this is marked as Resolved but it is not. There is yet any fix to the vulnerability.

HZO-GB

Thank you @GlennD for the update. My complaint is that Apache has patched the DLL since 2020, and yet in 2024 GoTo is still looking into re-compiling the connector software so the new version DLL is added o the latest version.

This I find unacceptable from security practices perspective. This is one of the easiest vulnerability to remediate yet here I am opening and re-opening tickets, posting on the community forum, waiting months and vocally pushing for a patch with no ETA except "we are looking into it"

GlennD

Hi @HZO-GB, welcome to the community.

The team is aware of this issue and it is being worked on currently. When an update is available I will share it here.