[
https://issues.apache.org/jira/browse/LOG4NET-679?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17452090#comment-17452090
]
Erik Mavrinac commented on LOG4NET-679:
---------------------------------------
Per the CVE the minimum version that apps will have to move to is 2.0.10. But
since distribution of log4net is not controlled by the log4net team, you need
to open an issue with each product or service that is distributing the binary
to get them to move to the latest, then distribute a new version to resolve
your CVE scanner.
> Many systems receiving vulnerability notice for log4net.dll for multiple
> applications.
> --------------------------------------------------------------------------------------
>
> Key: LOG4NET-679
> URL: https://issues.apache.org/jira/browse/LOG4NET-679
> Project: Log4net
> Issue Type: Bug
> Affects Versions: 1.2.10, 2.0.8
> Environment: Windows 10
> Reporter: Marcia Williams
> Priority: Major
> Labels: patch
> Attachments: apache log4net.dll_Dameware Vuln_22nov21.PNG, apache
> log4net.dll_Dell Vuln_22nov21.PNG
>
>
> We have hundreds of computers that are flagging {color:#de350b}Apache
> log4net.dll {color}as a CRITICAL VULNERABILITY! ({*}CVE-2018-1285 for
> log4net{*})
> Because log4net is installed as part of many applications there is no
> consistent version or application that is affected. It looks like anything
> that uses *log4net.dll* is being flag with different versions of the .dll.
> I have looked everywhere and can not figure out how to get a patch for this.
> All assistance is appreciated as this is a CRITICAL level vulnerability.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
