Impact
The details for this are in the CVE issue.
Note that Chocolatey's implementation details lower the risk considerably. The log4net config file has to be in a specific place next to choco.exe, and the attacker would need Administrative permissions to the machine to be able to place the file. Due to that necessity, if they already have Administrative permissions, then it's already game over - they wouldn't need to exploit this vulnerability.
Patches
Users should upgrade to Boxstarter 2.14.0.
Workarounds
By default Chocolatey will secure the default install location to require Administrative permissions to access. If you have changed the permissions on the default install location (C:\ProgramData\chocolatey) or you have installed Chocolatey to another location, then ensure that the permissions restrict adding the log4net config file.
For more information
If you have any questions or comments about this advisory:
Impact
The details for this are in the CVE issue.
Note that Chocolatey's implementation details lower the risk considerably. The log4net config file has to be in a specific place next to choco.exe, and the attacker would need Administrative permissions to the machine to be able to place the file. Due to that necessity, if they already have Administrative permissions, then it's already game over - they wouldn't need to exploit this vulnerability.
Patches
Users should upgrade to Boxstarter 2.14.0.
Workarounds
By default Chocolatey will secure the default install location to require Administrative permissions to access. If you have changed the permissions on the default install location (
C:\ProgramData\chocolatey) or you have installed Chocolatey to another location, then ensure that the permissions restrict adding the log4net config file.For more information
If you have any questions or comments about this advisory: