Forum Discussion

HZO-GB's avatar
HZO-GB
Active Contributor
10 months ago

CVE-2018-1285 Apache log4net XML External Entity Vulnerability

**********************************

EDIT1: 2024/05/06

DESPITE THE "SOLVED" MARKINGS THE VULNERABILITY REMAINS. DO NOT BE FOOLED BY GOTO!

**********************************

 

Why is this ancient CVE from 2020 still present in latest (v2.2.28) GoToConnect Active Directory Connector software https://support.goto.com/connect/help/install-active-directory-connector-v2 ?

 

C:\Program Files\Logmein\Active Directory Connector\log4net.DLL

 

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1285

https://nvd.nist.gov/vuln/detail/CVE-2018-1285

https://www.fortiguard.com/encyclopedia/endpoint-vuln/2705

 

I opened a ticket with support and they closed it because the developers "are working on it" 4 years later.... Is GoTo taking security seriously?

 

  • Hi HZO-GB, welcome to the community.

     

    The team is aware of this issue and it is being worked on currently. When an update is available I will share it here.

     

  • Hi HZO-GB, welcome to the community.

     

    The team is aware of this issue and it is being worked on currently. When an update is available I will share it here.

     

    • HZO-GB's avatar
      HZO-GB
      Active Contributor

      Thank you GlennD for the update. My complaint is that Apache has patched the DLL since 2020, and yet in 2024 GoTo is still looking into re-compiling the connector software so the new version DLL is added o the latest version.

       

      This I find unacceptable from security practices perspective. This is one of the easiest vulnerability to remediate yet here I am opening and re-opening tickets,  posting on the community forum, waiting months and vocally pushing for a patch with no ETA except "we are looking into it"

    • HZO-GB's avatar
      HZO-GB
      Active Contributor

      I know this is marked as Resolved but it is not. There is yet any fix to the vulnerability.

      • mkeaton's avatar
        mkeaton
        Frequent Contributor

        Yet another item to add to the risk assessment.  Thank you HZO-GB!

    • HZO-GB's avatar
      HZO-GB
      Active Contributor

      GlennD  can you provide an update, and also follow up on my ticket 19744340?

      • GlennD's avatar
        GlennD
        GoTo Manager

        HZO-GB The fix has been prepared and we are working through the testing and a release plan. This is taking longer as it is for our older platform. Once it has be QA'd and a release date is confirmed I will post an update.

         

  • HZO-GB's avatar
    HZO-GB
    Active Contributor

    I am getting the run-around with this 4 year old vulnerability. After multiple requests to escalate the case due to security concerns and false closures someone promised to contact the devs. Well, the software is still vulnerable, and the ticket is closed without notification, again.