VDE-2024-004 | CERT@VDE

2025-04-22 10:00 (CEST) VDE-2024-004

TRUMPF: Multiple products affected by log4net vulnerability

Share: Email | Twitter

ID

VDE-2024-004

Published

2025-04-22 10:00 (CEST)

Last update

2025-04-22 10:47 (CEST)

Vendor(s)

TRUMPF Laser GmbH
TRUMPF Werkzeugmaschinen SE + Co. KG

Product(s)

Article No°	Product Name	Affected Version(s)
	Boost	<= 16.0.24
	FAB (Storage)	<= V22.7
	Oseon (Storage)	<= 3.0.24
	TruTops Cell	< 2.54.24
	TruTops Classic	<= V12.1
	TruTops Mark	<= V6.2

Summary

The versions of TRUMPF products stated below are including a version of log4net that’s prone to XXE (External XML Entities) attacks under certain circumstances. This means, the log4net code can be tricked into loading externally hosted, potentially malicious XML code and possibly executing it. This vulnerability allows for the execution of remote XML code, possibly resulting in unauthorized (remote) access to, change of data or disruption of the whole system running the vulnerable application.

CVE ID

CVE-2018-1285

Last Update:

24. November 2021 09:50

Severity

9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Weakness

Improper Restriction of XML External Entity Reference (CWE-611)

Summary

Apache log4net versions before 2.0.10 do not disable XML external entities when parsing log4net configuration files. This allows for XXE-based attacks in applications that accept attacker-controlled log4net configuration files.

Details

nvd.nist.gov

Impact

This vulnerability allows for the execution of remote XML code or interpretation of XML config files, possibly resulting in unauthorized (remote) access to, change of data or disruption of the whole system running the vulnerable application.

Solution

Remediation
New versions are available for the affected products. Install new versions as provided by TRUMPF SE + Co. KG. To aquire these versions please contact your TRUMPF Service with the PR number 500879.

Reported by

CERT@VDE coordinated with TRUMPF