Bug 1548909 (CVE-2018-8088)
| Summary: | CVE-2018-8088 slf4j: Deserialisation vulnerability in EventData constructor can allow for arbitrary code execution | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Sam Fowler <sfowler> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | aboyko, aileenc, akurtako, alazarot, anstephe, apevec, apinnick, asoldano, atangrin, avibelli, bbaranow, bcourt, bdawidow, bgeorges, bkearney, bmaxwell, bmcclain, brian.stansberry, cbillett, ccoleman, cdewolf, chazlett, chrisw, csutherl, darran.lofthouse, dblechte, dedgar, dimitris, dkreling, dmcphers, dosoudil, drieden, eedri, etirelli, fgavrilo, ggaughan, gvarsami, gzaronik, hhorak, ibek, iweiss, janstey, java-maint, java-sig-commits, jawilson, jbalunas, jclere, jcoleman, jgoulding, jjoyce, jmatthew, jochrist, jolee, jondruse, jorton, jpallich, jperkins, jschatte, jschluet, jshepherd, jstastny, jwon, kbasil, kconner, krathod, kverlaen, kwills, ldimaggi, lef, lgao, lhh, loleary, lpeer, lpetrovi, lthon, markmc, mbabacek, mburns, mgoldboi, michal.skrivanek, mizdebsk, mmccune, mrike, msochure, msvehla, mszynkie, myarboro, nwallace, ohadlevy, paradhya, pdrozd, pgallagh, pgier, pjindal, pjurak, pmackay, ppalaga, psakar, pslavice, psotirop, puntogil, rbryant, rchan, rguimara, rnetuka, rrajasek, rruss, rstancel, rsvoboda, rsynek, rwagner, rzhang, sclewis, sdaley, security-response-team, sherold, slinaber, smaestri, spinder, sthorger, tcunning, tdecacqu, theute, tkirby, tomckay, tom.jenkinson, trogers, tsanders, twalsh, vhalbert, vtunka, weli, yborgess, ykaul |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: |
An XML deserialization vulnerability was discovered in slf4j's EventData, which accepts an XML serialized string and can lead to arbitrary code execution.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-06-08 03:41:14 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1549387, 1549388, 1549389, 1549390, 1549391, 1549928, 1549929, 1549930, 1550336, 1550337, 1551840, 1551843, 1551844, 1551845, 1551846, 1551848, 1551849, 1551850, 1551851, 1585897, 1708498 | ||
| Bug Blocks: | 1548912 | ||
|
Description
Sam Fowler
2018-02-26 01:02:57 UTC
Acknowledgments: Name: Chris McCown Created slf4j tracking bugs for this issue: Affects: fedora-all [bug 1549928] Created slf4j-jboss-logmanager tracking bugs for this issue: Affects: fedora-all [bug 1549929] The vulnerable code appears to be https://github.com/qos-ch/slf4j/blob/c960e8630cdf0ec4a6c5ea687ebe536e9e43ab68/slf4j-ext/src/main/java/org/slf4j/ext/EventData.java#L80, and it is not shipped in Vertx-3. Hence marking it as not affected. Upstream have not fixed this issue yet. So I'm removing the fixed-in version value from this bug. Ref: https://github.com/qos-ch/slf4j/blob/master/slf4j-ext/src/main/java/org/slf4j/ext/EventData.java This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS Via RHSA-2018:0582 https://access.redhat.com/errata/RHSA-2018:0582 This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2018:0592 https://access.redhat.com/errata/RHSA-2018:0592 Statement: Subscription Asset Manager is now in a reduced support phase receiving only Critical impact security fixes. This issue has been rated as having a security impact of Important, and is not currently planned to be addressed in future updates. This issue did not affect the versions of Candlepin as shipped with Red Hat Satellite 6 as Candlepin uses slf4j-api and not the affected slf4j-ext (which is not on the Candlepin classpath). Red Hat Enterprise Virtualization Manager 4.1 is affected by this issue. Updated packages that address this issue are available through the Red Hat Enterprise Linux Server channels. Virtualization Manager hosts should be subscribed to these channels and obtain the updates via `yum update`. This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2018:0629 https://access.redhat.com/errata/RHSA-2018:0629 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2018:0630 https://access.redhat.com/errata/RHSA-2018:0630 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6 Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7 Via RHSA-2018:0628 https://access.redhat.com/errata/RHSA-2018:0628 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 5 Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Via RHSA-2018:0627 https://access.redhat.com/errata/RHSA-2018:0627 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6 Via RHSA-2018:1248 https://access.redhat.com/errata/RHSA-2018:1248 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7 Via RHSA-2018:1247 https://access.redhat.com/errata/RHSA-2018:1247 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7 Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6 Via RHSA-2018:1249 https://access.redhat.com/errata/RHSA-2018:1249 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2018:1251 https://access.redhat.com/errata/RHSA-2018:1251 SOA-P is reduced (critical only) support, marked WONTFIX This issue has been addressed in the following products: Red Hat Single Sign-On 7.2.2 zip Via RHSA-2018:1323 https://access.redhat.com/errata/RHSA-2018:1323 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2018:1447 https://access.redhat.com/errata/RHSA-2018:1447 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Via RHSA-2018:1448 https://access.redhat.com/errata/RHSA-2018:1448 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Via RHSA-2018:1449 https://access.redhat.com/errata/RHSA-2018:1449 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 5 Via RHSA-2018:1450 https://access.redhat.com/errata/RHSA-2018:1450 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Via RHSA-2018:1451 https://access.redhat.com/errata/RHSA-2018:1451 This issue has been addressed in the following products: Red Hat Virtualization 4 for RHEL-7 Via RHSA-2018:1525 https://access.redhat.com/errata/RHSA-2018:1525 This issue has been addressed in the following products: Red Hat Data Grid Via RHSA-2018:1575 https://access.redhat.com/errata/RHSA-2018:1575 This issue has been addressed in the following products: Red Hat Decision Manager Via RHSA-2018:2143 https://access.redhat.com/errata/RHSA-2018:2143 This issue has been addressed in the following products: Red Hat Process Automation Via RHSA-2018:2419 https://access.redhat.com/errata/RHSA-2018:2419 This issue has been addressed in the following products: Red Hat Decision Manager Via RHSA-2018:2420 https://access.redhat.com/errata/RHSA-2018:2420 This issue has been addressed in the following products: Red Hat Decision Manager Via RHSA-2018:2420 https://access.redhat.com/errata/RHSA-2018:2420 This issue has been addressed in the following products: Red Hat JBoss Fuse Via RHSA-2018:2669 https://access.redhat.com/errata/RHSA-2018:2669 This issue has been addressed in the following products: Red Hat JBoss Operations Network Via RHSA-2018:2930 https://access.redhat.com/errata/RHSA-2018:2930 This vulnerability is out of security support scope for the following product: * Red Hat Enterprise Application Platform 5 Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details. This issue has been addressed in the following products: Red Hat Fuse 7.4.0 Via RHSA-2019:2413 https://access.redhat.com/errata/RHSA-2019:2413 This issue has been addressed in the following products: Red Hat JBoss Data Virtualization 6.4.8 Via RHSA-2019:3140 https://access.redhat.com/errata/RHSA-2019:3140 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2020:2561 https://access.redhat.com/errata/RHSA-2020:2561 |