Red Hat Bugzilla – Bug 1548909
CVE-2018-8088 slf4j: Deserialisation vulnerability in EventData constructor can allow for arbitrary code execution
Last modified: 2018-10-19 17:46:44 EDT
SLF4J through version 1.7.25 is vulnerable to an XML deserialisation vulnerability in the EventData constructor. Upstream Issue: https://jira.qos.ch/browse/SLF4J-430
Acknowledgments: Name: Chris McCown
Created slf4j tracking bugs for this issue: Affects: fedora-all [bug 1549928] Created slf4j-jboss-logmanager tracking bugs for this issue: Affects: fedora-all [bug 1549929]
The vulnerable code appears to be https://github.com/qos-ch/slf4j/blob/c960e8630cdf0ec4a6c5ea687ebe536e9e43ab68/slf4j-ext/src/main/java/org/slf4j/ext/EventData.java#L80, and it is not shipped in Vertx-3. Hence marking it as not affected.
Upstream have not fixed this issue yet. So I'm removing the fixed-in version value from this bug. Ref: https://github.com/qos-ch/slf4j/blob/master/slf4j-ext/src/main/java/org/slf4j/ext/EventData.java
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS Via RHSA-2018:0582 https://access.redhat.com/errata/RHSA-2018:0582
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2018:0592 https://access.redhat.com/errata/RHSA-2018:0592
Statement: Subscription Asset Manager is now in a reduced support phase receiving only Critical impact security fixes. This issue has been rated as having a security impact of Important, and is not currently planned to be addressed in future updates. This issue did not affect the versions of Candlepin as shipped with Red Hat Satellite 6 as Candlepin uses slf4j-api and not the affected slf4j-ext (which is not on the Candlepin classpath). Red Hat Enterprise Virtualization Manager 4.1 is affected by this issue. Updated packages that address this issue are available through the Red Hat Enterprise Linux Server channels. Virtualization Manager hosts should be subscribed to these channels and obtain the updates via `yum update`.
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2018:0629 https://access.redhat.com/errata/RHSA-2018:0629
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2018:0630 https://access.redhat.com/errata/RHSA-2018:0630
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6 Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7 Via RHSA-2018:0628 https://access.redhat.com/errata/RHSA-2018:0628
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 5 Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Via RHSA-2018:0627 https://access.redhat.com/errata/RHSA-2018:0627
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6 Via RHSA-2018:1248 https://access.redhat.com/errata/RHSA-2018:1248
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7 Via RHSA-2018:1247 https://access.redhat.com/errata/RHSA-2018:1247
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7 Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6 Via RHSA-2018:1249 https://access.redhat.com/errata/RHSA-2018:1249
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2018:1251 https://access.redhat.com/errata/RHSA-2018:1251
SOA-P is reduced (critical only) support, marked WONTFIX
This issue has been addressed in the following products: Red Hat Single Sign-On 7.2.2 zip Via RHSA-2018:1323 https://access.redhat.com/errata/RHSA-2018:1323
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2018:1447 https://access.redhat.com/errata/RHSA-2018:1447
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Via RHSA-2018:1448 https://access.redhat.com/errata/RHSA-2018:1448
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Via RHSA-2018:1449 https://access.redhat.com/errata/RHSA-2018:1449
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 5 Via RHSA-2018:1450 https://access.redhat.com/errata/RHSA-2018:1450
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Via RHSA-2018:1451 https://access.redhat.com/errata/RHSA-2018:1451
This issue has been addressed in the following products: Red Hat Virtualization 4 for RHEL-7 Via RHSA-2018:1525 https://access.redhat.com/errata/RHSA-2018:1525
This issue has been addressed in the following products: Red Hat Data Grid Via RHSA-2018:1575 https://access.redhat.com/errata/RHSA-2018:1575
This issue has been addressed in the following products: Red Hat Decision Manager Via RHSA-2018:2143 https://access.redhat.com/errata/RHSA-2018:2143
This issue has been addressed in the following products: Red Hat Process Automation Via RHSA-2018:2419 https://access.redhat.com/errata/RHSA-2018:2419
This issue has been addressed in the following products: Red Hat Decision Manager Via RHSA-2018:2420 https://access.redhat.com/errata/RHSA-2018:2420
This issue has been addressed in the following products: Red Hat JBoss Fuse Via RHSA-2018:2669 https://access.redhat.com/errata/RHSA-2018:2669
This issue has been addressed in the following products: Red Hat JBoss Operations Network Via RHSA-2018:2930 https://access.redhat.com/errata/RHSA-2018:2930