Detections
Analytics

Debian DLA-2211-1 : log4net security update

high Nessus Plugin ID 136672

Language:

Synopsis

The remote Debian host is missing a security update.

Description

It was discovered that there was an XML external entity vulnerability in log4net, a logging API for the ECMA Common Language Infrastructure (CLI), sometimes referred to as 'Mono'.

This type of attack occurs when XML input containing a reference to an internet-faced entity is processed by a weakly configured XML parser.
This attack may lead to the disclosure of confidential data, denial of service, server side request forgery as well as other system impacts.

For Debian 8 'Jessie', this issue has been fixed in log4net version 1.2.10+dfsg-6+deb8u1.

We recommend that you upgrade your log4net packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Solution

Upgrade the affected packages.

See Also

https://lists.debian.org/debian-lts-announce/2020/05/msg00014.html

https://packages.debian.org/source/jessie/log4net

Plugin Details

Severity: High

ID: 136672

File Name: debian_DLA-2211.nasl

Version: 1.3

Type: local

Agent: unix

Published: 5/18/2020

Updated: 1/11/2021

Supported Sensors: Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Continuous Assessment, Nessus

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:liblog4net-cil-dev, cpe:/o:debian:debian_linux:8.0, p-cpe:/a:debian:debian_linux:liblog4net1.2-cil

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Patch Publication Date: 5/15/2020

Vulnerability Publication Date: 5/15/2020