First published: 4th July 2022
Last updated: 4th July 2022
Severity: Low
A vulnerability has been found in the implementation of the Log4net library. This affects the following supported DriveLock products (supported by the time this bulletin was created):
Apache log4net versions before 2.0.10 do not disable XML external entities when parsing log4net configuration files. This allows for XXE-based attacks in applications that accept attacker-controlled log4net configuration files.
DriveLock uses Log4Net to create log files for the client security awareness viewer component and the DES.
A full list of related CVEs is available listed in the following section.
This vulnerability can be mitigated by explicitly limit access to the XML configuration files (read only).
Beginning with our next long-term support release 2022.2 DriveLock will use an updated version 2.0.14 for creating log files with Log4Net. Customers can update to this version as soon as it has been released.