I took a look at the CVEs and neither of them apply to OpenSimulator's use of it out of the box. That's not to say that it is wise, long term, to keep this version. There are two CVEs.. one is for a version earlier than the one in OpenSimulator, the second, someone would have to configure a special log appender that goes to the Linux Syslog.
Furthermore, if Dependabot had an issue with the library, it would show up on Pull requests on this project: https://github.com/opensim/opensim/pulls?q=is%3Aopen+is%3Apr . unless someone disabled dependabot on the project. it is enabled by default though. In other words... Don't panic. You're still safe. On Wed, Dec 15, 2021 at 3:18 PM Cinder Roxley <cin...@alchemyviewer.org> wrote: > > https://www.cvedetails.com/vulnerability-list.php?vendor_id=45&product_id=7281&version_id=0&page=1&hasexp=0&opdos=0&opec=0&opov=0&opcsrf=0&opgpriv=0&opsqli=0&opxss=0&opdirt=0&opmemc=0&ophttprs=0&opbyp=0&opfileinc=0&opginf=0&cvssscoremin=0&cvssscoremax=0&year=0&cweid=0&order=1&trc=2&sha=f70b070c708ceeabfdce6d62f53aef9c82924571 > > -- > Sent from Canary (https://canarymail.io) > > > On Wednesday, Dec 15, 2021 at 5:15 PM, Dahlia Trimble < > dahliatrim...@gmail.com (mailto:dahliatrim...@gmail.com)> wrote: > > > Github's Dependabot says very publicly that our Log4Net.dll has an XXE > > vulnerability. > > > > This is eluding my google-fu and I can't find anything about it. Have a > > link? > > > > -D > > > > On Wed, Dec 15, 2021 at 10:00 AM Fred Beckhusen <f...@mitsi.com> wrote: > > > > > Github's Dependabot says very publicly that our Log4Net.dll has an XXE > > > vulnerability. That's the issue. > > > > > > We don't load Robust.exe.config or Opensim.exe.config with user > supplied > > > data, so AFAIK, we don't have a exploitable security issue. But that > > > may not matter. IT professionals will be much more sensitive to XXE > > > after their Log4J remediation efforts. > > > > > > We all know that the major sponsors of Opensim are Universities. Their > > > IT departments are under attack. > > > > > > ~ Fred > > > > > > > > > _______________________________________________ > > > Opensim-dev mailing list > > > Opensim-dev@opensimulator.org > > > http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-dev > > _______________________________________________ > > Opensim-dev mailing list > > Opensim-dev@opensimulator.org > > http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-dev > _______________________________________________ > Opensim-dev mailing list > Opensim-dev@opensimulator.org > http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-dev > _______________________________________________ Opensim-dev mailing list Opensim-dev@opensimulator.org http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-dev
