Does NuGenesis LMS use a version of log4net.dll that is vulnerable to CVE-2018-1285? - WKB274204
Article number: 274204
ENVIRONMENT
- NuGenesis 9 LMS
- NuGenesis 8 LMS
ANSWER
Yes. The version of log4net provided with the LMS client is v2.0.8, and this version has the vulnerability outlined in CVE-2018-1285.
ADDITIONAL INFORMATION
Exploitation of this vulnerability requires both local access to a NuGenesis client machine and permission to write to files in the NuGenesis LMS client's installation folder.
To mitigate this vulnerability, restrict users to Read and Read & Execute permissions on the LMS client installation path.
Enhancement request CRI-6598 was filed to request an upgrade of the log4net library in the LMS client.
id274204, NGLMS, NGLMSLIC, NGLMSOPT, SUPNG