Security advisory: ProCall Enterprise client for Windows – Apache log4net versions prior to 2.0.10

Description

Apache log4net versions prior to 2.0.10 do not disable external XML entities when parsing log4net configuration files. This allows XXE-based attacks in applications that accept attacker-controlled log4net configuration files. This component was shipped with the ProCall client for Windows, but was only used when the Google integration was launched.

Affected versions

This vulnerability affects all previously released versions of ProCall 6 Enterprise (EOL) and ProCall 7 Enterprise.

• 7.0, 7.1, 7.2, 7.3 (all sub-versions)
• 6.0, 6.1, 6.2, 6.3, 6.4 (all sub-versions)

ProCall Business 

• 21H2 <(Build 2.5248)

Workaround

Disable Google integration and remove the "log4net.dll" file from the client installation directories.

Versions with bug fixes

estos has already released updates with fixes to the vulnerability. Customers and partners can obtain updates through the known channels and follow the normal update process.

• ProCall 7 Enterprise ≥ 7.3.2.5199
• ProCall 6 Enterprise ≥ 6.4.22.5302
• ProCall Business 21H2 (Build 2.5248)

End-of-life

Please note the following: If you are using older estos product versions that are no longer supported (End-of-Life has been reached), we strongly recommend updating your software to the current versions for security reasons.
This is because security patches are only regularly developed and made available for current software versions.