Bug 2252230 (CVE-2023-6378)

Summary: CVE-2023-6378 logback: serialization vulnerability in logback receiver
Product: [Other] Security Response Reporter: Avinash Hanwate <ahanwate>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: adupliak, aileenc, anstephe, asoldano, ataylor, avibelli, bbaranow, bgeorges, bmaxwell, boliveir, brian.stansberry, ccranfor, cdewolf, chazlett, chfoley, clement.escoffier, cmiranda, cmoulliard, csutherl, dandread, darran.lofthouse, dhanak, dkreling, dosoudil, drichtar, dsimansk, fjuma, fmariani, gmalinko, gsmet, ibek, istudens, ivassile, iweiss, janstey, jcantril, jclere, jkoops, jmartisk, jpechane, jpoth, jrokos, jscholz, kingland, kverlaen, lgao, lthon, manderse, matzew, max.andersen, mmadzin, mnovotny, mosmerov, msochure, mstefank, msvehla, mulliken, nwallace, olubyans, pcongius, pdelbell, pdrozd, peholase, pgallagh, pierdipi, pjindal, plodge, pmackay, probinso, pskopek, rguimara, rhuss, rjohnson, rkieley, rmartinc, rowaters, rruss, rstancel, rstepani, rsvoboda, saroy, sausingh, sbiarozk, sdouglas, smaestri, sthorger, swoodman, szappis, tcunning, tom.jenkinson, tqvarnst, yfang
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the logback package, where it is vulnerable to a denial of service caused by a serialization flaw in the receiver component. By sending specially crafted poisoned data, a remote attacker can cause a denial of service condition.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2252951, 2252954, 2252955    
Bug Blocks: 2252950    

Description Avinash Hanwate 2023-11-30 09:44:19 UTC 
A serialization vulnerability in logback receiver component part of logback version 1.4.11 allows an attacker to mount a Denial-Of-Service 
attack by sending poisoned data.

https://logback.qos.ch/news.html#1.3.12
Comment 1 Avinash Hanwate 2023-12-05 12:36:09 UTC 
Created picocli tracking bugs for this issue:

Affects: fedora-all [bug 2252951]
Comment 5 errata-xmlrpc 2024-02-12 18:01:14 UTC 
This issue has been addressed in the following products:

  RHINT Camel-Springboot 4.0.3

Via RHSA-2024:0793 https://access.redhat.com/errata/RHSA-2024:0793
Comment 8 errata-xmlrpc 2024-05-21 14:18:35 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss AMQ

Via RHSA-2024:2945 https://access.redhat.com/errata/RHSA-2024:2945
Comment 9 errata-xmlrpc 2024-05-23 22:46:03 UTC 
This issue has been addressed in the following products:

  Red Hat Fuse 7.13.0

Via RHSA-2024:3354 https://access.redhat.com/errata/RHSA-2024:3354