Bug 2252956 (CVE-2023-6481)

Summary: CVE-2023-6481 logback: A serialization vulnerability in logback receiver
Product: [Other] Security Response Reporter: Avinash Hanwate <ahanwate>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: adupliak, aileenc, anstephe, asoldano, ataylor, avibelli, bbaranow, bgeorges, bmaxwell, boliveir, brian.stansberry, ccranfor, cdewolf, chazlett, chfoley, clement.escoffier, cmiranda, cmoulliard, csutherl, dandread, darran.lofthouse, dhanak, dkreling, dosoudil, drichtar, dsimansk, ecerquei, fjuma, fmariani, gmalinko, gsmet, ibek, ikanello, istudens, ivassile, iweiss, janstey, jcantril, jclere, jkoops, jmartisk, jpechane, jpoth, jrokos, jross, jscholz, kingland, kverlaen, lgao, lthon, manderse, matzew, max.andersen, mmadzin, mnovotny, mosmerov, msochure, mstefank, msvehla, mulliken, nwallace, olubyans, pcongius, pdelbell, pdrozd, peholase, pgallagh, pierdipi, pjindal, plodge, pmackay, probinso, pskopek, rguimara, rhuss, rjohnson, rkieley, rmartinc, rowaters, rruss, rstancel, rstepani, rsvoboda, saroy, sausingh, sbiarozk, sdouglas, smaestri, sthorger, swoodman, szappis, tcunning, tom.jenkinson, tqvarnst, yfang
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: logback-classic 1.2.13, logback-classic 1.3.14, logback-classic 1.4.14 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the logback package. Affected versions of this package are vulnerable to Uncontrolled Resource Consumption ('Resource Exhaustion') via the logback receiver component. This flaw allows an attacker to mount a denial-of-service attack by sending poisoned data.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2252957, 2252958, 2252959    
Bug Blocks: 2252950    

Description Avinash Hanwate 2023-12-05 12:42:43 UTC 
A serialization vulnerability in logback receiver component part of logback version 1.4.13, 1.3.13 and 1.2.12 allows an attacker to mount a Denial-Of-Service attack by sending poisoned data.

https://logback.qos.ch/news.html#1.3.12
https://logback.qos.ch/news.html#1.3.14
Comment 1 Avinash Hanwate 2023-12-05 12:43:01 UTC 
Created picocli tracking bugs for this issue:

Affects: fedora-all [bug 2252957]
Comment 6 errata-xmlrpc 2024-02-12 18:01:14 UTC 
This issue has been addressed in the following products:

  RHINT Camel-Springboot 4.0.3

Via RHSA-2024:0793 https://access.redhat.com/errata/RHSA-2024:0793
Comment 7 errata-xmlrpc 2024-02-15 12:55:33 UTC 
This issue has been addressed in the following products:

  RHOSS-1.31-RHEL-8

Via RHSA-2024:0843 https://access.redhat.com/errata/RHSA-2024:0843
Comment 10 errata-xmlrpc 2024-05-21 14:18:40 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss AMQ

Via RHSA-2024:2945 https://access.redhat.com/errata/RHSA-2024:2945
Comment 11 errata-xmlrpc 2024-05-23 22:46:33 UTC 
This issue has been addressed in the following products:

  Red Hat Fuse 7.13.0

Via RHSA-2024:3354 https://access.redhat.com/errata/RHSA-2024:3354