log4net.dll Security Vulnerability

[YoniTigris]

Fortinet FortiClient Vulnerability Scan reported the files:
C:\Program Files (x86)\Google\Cloud SDK\google-cloud-sdk\platform\PowerShell\GoogleCloud\1.0.1.10\fullclr\log4net.dll
C:\Program Files (x86)\Google\Cloud SDK\google-cloud-sdk\platform\PowerShell\GoogleCloudBeta\1.0.1.10\fullclr\log4net.dll
Contain Security Vulnerability CVE-2018-1285 for log4net.
How to upgrade log4net to 2.0.10 or higher?

Thanks in advance :-)

[BigMacIT]

Critical Security Vulnerability in log4net.dll (CVE-2018-1285)

Issue Details

I've identified a critical security vulnerability in the Google Cloud SDK installation:

• File: \Program Files (x86)\Google\Cloud SDK\google-cloud-sdk\platform\PowerShell\GoogleCloudBeta\1.0.1.10\fullclr\log4net.dll
• Current Version: 2.0.7.0
• Vulnerability: CVE-2018-1285
• Severity: CRITICAL
• CVSS Score: 9.8
• CVSS Exploitability Score: 3.9
• Fixed Version: 2.0.10
• Source: NVD - CVE-2018-1285

This vulnerability in log4net allows attackers to execute arbitrary code via a crafted serialized object in the data stream. Given its critical severity and high exploitability score, this poses a significant security risk.

Steps to Reproduce

1. Install Google Cloud SDK
2. Navigate to the path mentioned above
3. Check the version of log4net.dll (2.0.7.0)

Expected Behavior

The SDK should include the patched version of log4net.dll (2.0.10 or later) to mitigate this vulnerability.

Actual Behavior

The SDK includes an outdated and vulnerable version of log4net.dll (2.0.7.0).

Impact

This vulnerability could potentially allow malicious actors to execute arbitrary code, compromising the security of systems using the Google Cloud SDK.

Proposed Solution

1. Update the bundled log4net.dll to version 2.0.10 or later in the Google Cloud SDK package.
2. Implement a process for regular security audits of third-party dependencies in the SDK.
3. Consider adding an auto-update feature for critical security patches in SDK components.

---

This issue requires urgent attention due to its severity. Could you please provide an update on when we can expect a fix for this vulnerability?

Thank you for your prompt attention to this critical security matter.

[pberenyi]

After nearly 2 years, this is still open. If the library is not used for anything, why to include it? If it is used for something why not upgrade to a non-vulnerable version?

[vmugutrao]

This vulnerability is still open, seems all Google developers are busy !!!