Article - CS356750
CVE-2018-1285 Security Vulnerability is present within log4net.dll 2.0.8.0 library used in ThingWorx .Net SDK 5.8.3
Modified: 22-Jul-2022
Applies To
- ThingWorx Edge SDK 5.8.0 to 5.8.3 M080
Description
- Apache log4net versions before 2.0.10 do not disable XML external entities when parsing log4net configuration files. This allows for an attacker to perform XXE-based attacks in applications that accept attacker-controlled log4net configuration files.
- CVE-2018-1285 vulnerability is present within ThingWorx .Net SDK 5.8.3 which was considered a high risk upon original discovery.
- Per PTC’s internal vulnerability management policy, additional triage and analysis was conducted.
- PTC considers this a low risk based on our product system architecture:
- contains an XML parser, but it’s not injected into the settings of the build.
- Product uses the ThingWorx Dotnet-SDK-5-8-3-711, which contains a 3rd party library named log4net.dll
- log4net.dll is at version 2.0.8.0 and is exposed to CVE-2018-1285 but considered a low risk after internal analysis as outlined in our internal vulnerability management program.
This is a printer-friendly version of Article 356750 and may be out of date. For the latest version click CS356750