Skip to main content

Search

Software Vulnerabilities

      CVE-2018-1285 - log4net in ETS6

      Vassilios Lourdas
      • Updated

      Why does my security tool report an outdated log4net.dll in ETS6?

      ETS contains two different converter technologies to keep compatibility with projects created in all previous ETS versions:

      • Legacy converter (for projects from ETS1–ETS3)
        Uses log4net v2.0.8 and is kept only to open and convert very old projects.

      • Modern converter (CVnext) (for all current project data, starting from XML 1.4)
        Uses log4net v2.0.12 and is actively maintained.

      Because both converters are required, both log4net versions are installed in separate folders, for example:

      • C:\Program Files (x86)\ETS5\CV\5.6.241.33672\log4net.dll

      • C:\Program Files (x86)\ETS6\CV\5.6.241.33672\log4net.dll

      Is ETS6 affected by CVE-2018-1285?

      No. ETS6 is not affected by CVE-2018-1285.

      The CVE describes a vulnerability that allows XXE-based attacks in applications that accept attacker-controlled log4net configuration files. ETS does not accept any external or user-controlled log4net configuration files. The log4net configuration used by ETS is internal and static. Therefore, the attack scenario required by CVE-2018-1285 does not apply to ETS.

      Can I delete the old log4net.dll (v2.0.8)?

      No, you should not delete the legacy log4net.dll.

      The log4net v2.0.8 file is required by the legacy converter to open and convert old ETS projects (ETS1–ETS3). If you delete this file, older projects may no longer open or convert correctly.

      Why are both log4net files still present after updating to the latest ETS6 version?

      This behavior is intentional. The update does not remove the legacy converter or its libraries, because many users still need to work with older ETS projects. Both converters must remain available so that ETS can reliably handle projects from all generations.

      Summary

      • log4net v2.0.8 – used only by the legacy converter for very old ETS projects.

      • log4net v2.0.12 – used by the modern converter (CVnext) for all current project data.

      • ETS6 is not vulnerable to CVE-2018-1285, because it does not load attacker-controlled log4net configuration files.

      • Do not remove the older log4net.dll files, as they are required for backward compatibility.

      Related articles

      Didn't find what you were looking for?
      Submit a request Community