Bug 1548909 (CVE-2018-8088) - CVE-2018-8088 slf4j: Deserialisation vulnerability in EventData constructor can allow for arbitrary code execution
Summary: CVE-2018-8088 slf4j: Deserialisation vulnerability in EventData constructor c...
Status: NEW
Alias: CVE-2018-8088
Product: Security Response
Classification: Other
Component: vulnerability   
(Show other bugs)
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=important,public=20180222,repo...
Keywords: Security
Depends On: 1549929 1549387 1549388 1549389 1549390 1549391 1549928 1549930 1550336 1550337 1551840 1551843 1551844 1551845 1551846 1551848 1551849 1551850 1551851 1585897
Blocks: 1548912
TreeView+ depends on / blocked
 
Reported: 2018-02-26 01:02 UTC by Sam Fowler
Modified: 2019-04-22 21:33 UTC (History)
116 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
An XML deserialization vulnerability was discovered in slf4j's EventData, which accepts an XML serialized string and can lead to arbitrary code execution.
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:0582 None None None 2018-03-26 09:29 UTC
Red Hat Product Errata RHSA-2018:0592 None None None 2018-03-26 19:52 UTC
Red Hat Product Errata RHSA-2018:0627 None None None 2018-04-03 18:36 UTC
Red Hat Product Errata RHSA-2018:0628 None None None 2018-04-03 18:35 UTC
Red Hat Product Errata RHSA-2018:0629 None None None 2018-04-03 18:21 UTC
Red Hat Product Errata RHSA-2018:0630 None None None 2018-04-03 18:22 UTC
Red Hat Product Errata RHSA-2018:1247 None None None 2018-04-25 18:24 UTC
Red Hat Product Errata RHSA-2018:1248 None None None 2018-04-25 18:21 UTC
Red Hat Product Errata RHSA-2018:1249 None None None 2018-04-25 18:36 UTC
Red Hat Product Errata RHSA-2018:1251 None None None 2018-04-25 19:44 UTC
Red Hat Product Errata RHSA-2018:1323 None None None 2018-05-04 14:33 UTC
Red Hat Product Errata RHSA-2018:1447 None None None 2018-05-14 20:17 UTC
Red Hat Product Errata RHSA-2018:1448 None None None 2018-05-14 20:35 UTC
Red Hat Product Errata RHSA-2018:1449 None None None 2018-05-14 20:40 UTC
Red Hat Product Errata RHSA-2018:1450 None None None 2018-05-14 20:44 UTC
Red Hat Product Errata RHSA-2018:1451 None None None 2018-05-14 20:51 UTC
Red Hat Product Errata RHSA-2018:1525 None None None 2018-05-15 18:59 UTC
Red Hat Product Errata RHSA-2018:1575 None None None 2018-05-16 15:45 UTC
Red Hat Product Errata RHSA-2018:2143 None None None 2018-07-05 15:29 UTC
Red Hat Product Errata RHSA-2018:2419 None None None 2018-08-15 07:42 UTC
Red Hat Product Errata RHSA-2018:2420 None None None 2018-08-15 07:43 UTC
Red Hat Product Errata RHSA-2018:2669 None None None 2018-09-11 07:54 UTC
Red Hat Product Errata RHSA-2018:2930 None None None 2018-10-16 17:06 UTC

Description Sam Fowler 2018-02-26 01:02:57 UTC
SLF4J through version 1.7.25 is vulnerable to an XML deserialisation vulnerability in the EventData constructor.


Upstream Issue:

https://jira.qos.ch/browse/SLF4J-430

Comment 1 Sam Fowler 2018-02-26 01:03:37 UTC
Acknowledgments:

Name: Chris McCown

Comment 4 Summer Long 2018-02-28 04:57:00 UTC
Created slf4j tracking bugs for this issue:

Affects: fedora-all [bug 1549928]


Created slf4j-jboss-logmanager tracking bugs for this issue:

Affects: fedora-all [bug 1549929]

Comment 14 Kunjan Rathod 2018-03-21 23:54:34 UTC
The vulnerable code appears to be https://github.com/qos-ch/slf4j/blob/c960e8630cdf0ec4a6c5ea687ebe536e9e43ab68/slf4j-ext/src/main/java/org/slf4j/ext/EventData.java#L80, and it is not shipped in Vertx-3. Hence marking it as not affected.

Comment 15 Jason Shepherd 2018-03-21 23:56:52 UTC
Upstream have not fixed this issue yet. So I'm removing the fixed-in version value from this bug.

Ref: https://github.com/qos-ch/slf4j/blob/master/slf4j-ext/src/main/java/org/slf4j/ext/EventData.java

Comment 18 errata-xmlrpc 2018-03-26 09:29:05 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS

Via RHSA-2018:0582 https://access.redhat.com/errata/RHSA-2018:0582

Comment 19 errata-xmlrpc 2018-03-26 19:51:52 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:0592 https://access.redhat.com/errata/RHSA-2018:0592

Comment 20 Doran Moppert 2018-04-03 07:05:21 UTC
Statement:

Subscription Asset Manager is now in a reduced support phase receiving only Critical impact security fixes. This issue has been rated as having a security impact of Important, and is not currently planned to be addressed in future updates.

This issue did not affect the versions of Candlepin as shipped with Red Hat Satellite 6 as Candlepin uses slf4j-api and not the affected slf4j-ext (which is not on the Candlepin classpath).

Red Hat Enterprise Virtualization Manager 4.1 is affected by this issue. Updated packages that address this issue are available through the Red Hat Enterprise Linux Server channels. Virtualization Manager hosts should be subscribed to these channels and obtain the updates via `yum update`.

Comment 21 errata-xmlrpc 2018-04-03 18:20:37 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2018:0629 https://access.redhat.com/errata/RHSA-2018:0629

Comment 22 errata-xmlrpc 2018-04-03 18:21:49 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2018:0630 https://access.redhat.com/errata/RHSA-2018:0630

Comment 23 errata-xmlrpc 2018-04-03 18:34:37 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6
  Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7

Via RHSA-2018:0628 https://access.redhat.com/errata/RHSA-2018:0628

Comment 24 errata-xmlrpc 2018-04-03 18:36:21 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7
  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 5
  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6

Via RHSA-2018:0627 https://access.redhat.com/errata/RHSA-2018:0627

Comment 26 errata-xmlrpc 2018-04-25 18:21:14 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6

Via RHSA-2018:1248 https://access.redhat.com/errata/RHSA-2018:1248

Comment 27 errata-xmlrpc 2018-04-25 18:24:03 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7

Via RHSA-2018:1247 https://access.redhat.com/errata/RHSA-2018:1247

Comment 28 errata-xmlrpc 2018-04-25 18:35:23 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7
  Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6

Via RHSA-2018:1249 https://access.redhat.com/errata/RHSA-2018:1249

Comment 29 errata-xmlrpc 2018-04-25 19:44:00 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2018:1251 https://access.redhat.com/errata/RHSA-2018:1251

Comment 30 Chess Hazlett 2018-05-03 01:53:58 UTC
SOA-P is reduced (critical only) support, marked WONTFIX

Comment 32 errata-xmlrpc 2018-05-04 14:33:16 UTC
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.2.2 zip

Via RHSA-2018:1323 https://access.redhat.com/errata/RHSA-2018:1323

Comment 33 errata-xmlrpc 2018-05-14 20:16:32 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2018:1447 https://access.redhat.com/errata/RHSA-2018:1447

Comment 34 errata-xmlrpc 2018-05-14 20:34:56 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7

Via RHSA-2018:1448 https://access.redhat.com/errata/RHSA-2018:1448

Comment 35 errata-xmlrpc 2018-05-14 20:39:17 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6

Via RHSA-2018:1449 https://access.redhat.com/errata/RHSA-2018:1449

Comment 36 errata-xmlrpc 2018-05-14 20:43:32 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 5

Via RHSA-2018:1450 https://access.redhat.com/errata/RHSA-2018:1450

Comment 37 errata-xmlrpc 2018-05-14 20:51:17 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6

Via RHSA-2018:1451 https://access.redhat.com/errata/RHSA-2018:1451

Comment 38 errata-xmlrpc 2018-05-15 18:59:03 UTC
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for RHEL-7

Via RHSA-2018:1525 https://access.redhat.com/errata/RHSA-2018:1525

Comment 39 errata-xmlrpc 2018-05-16 15:44:58 UTC
This issue has been addressed in the following products:

  Red Hat Data Grid

Via RHSA-2018:1575 https://access.redhat.com/errata/RHSA-2018:1575

Comment 42 errata-xmlrpc 2018-07-05 15:28:24 UTC
This issue has been addressed in the following products:

  Red Hat Decision Manager

Via RHSA-2018:2143 https://access.redhat.com/errata/RHSA-2018:2143

Comment 43 errata-xmlrpc 2018-08-15 07:41:44 UTC
This issue has been addressed in the following products:

  Red Hat Process Automation

Via RHSA-2018:2419 https://access.redhat.com/errata/RHSA-2018:2419

Comment 44 errata-xmlrpc 2018-08-15 07:42:01 UTC
This issue has been addressed in the following products:

  Red Hat Decision Manager

Via RHSA-2018:2420 https://access.redhat.com/errata/RHSA-2018:2420

Comment 45 errata-xmlrpc 2018-08-15 07:42:48 UTC
This issue has been addressed in the following products:

  Red Hat Decision Manager

Via RHSA-2018:2420 https://access.redhat.com/errata/RHSA-2018:2420

Comment 46 errata-xmlrpc 2018-09-11 07:54:11 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Fuse

Via RHSA-2018:2669 https://access.redhat.com/errata/RHSA-2018:2669

Comment 47 errata-xmlrpc 2018-10-16 17:05:52 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Operations Network

Via RHSA-2018:2930 https://access.redhat.com/errata/RHSA-2018:2930


Note You need to log in before you can comment on or make changes to this bug.