2252956 – (CVE-2023-6481) CVE-2023-6481 logback: A serialization vulnerability in logback receiver

Bug 2252956 (CVE-2023-6481) - CVE-2023-6481 logback: A serialization vulnerability in logback receiver

Summary: CVE-2023-6481 logback: A serialization vulnerability in logback receiver

Keywords:
Status:	NEW
Alias:	CVE-2023-6481
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2252957 2252958 2252959
Blocks:	2252950
TreeView+	depends on / blocked

Reported:	2023-12-05 12:42 UTC by Avinash Hanwate
Modified:	2024-05-23 22:46 UTC (History)
CC List:	90 users (show)
Fixed In Version:	logback-classic 1.2.13, logback-classic 1.3.14, logback-classic 1.4.14
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in the logback package. Affected versions of this package are vulnerable to Uncontrolled Resource Consumption ('Resource Exhaustion') via the logback receiver component. This flaw allows an attacker to mount a denial-of-service attack by sending poisoned data.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2024:0793	None	None	None	2024-02-12 18:01:18 UTC
Red Hat Product Errata	RHSA-2024:0843	None	None	None	2024-02-15 12:55:37 UTC
Red Hat Product Errata	RHSA-2024:2945	None	None	None	2024-05-21 14:18:46 UTC
Red Hat Product Errata	RHSA-2024:3354	None	None	None	2024-05-23 22:46:39 UTC

Description Avinash Hanwate 2023-12-05 12:42:43 UTC

A serialization vulnerability in logback receiver component part of logback version 1.4.13, 1.3.13 and 1.2.12 allows an attacker to mount a Denial-Of-Service attack by sending poisoned data.

https://logback.qos.ch/news.html#1.3.12
https://logback.qos.ch/news.html#1.3.14

Comment 1 Avinash Hanwate 2023-12-05 12:43:01 UTC

Created picocli tracking bugs for this issue:

Affects: fedora-all [bug 2252957]

Comment 6 errata-xmlrpc 2024-02-12 18:01:14 UTC

This issue has been addressed in the following products:

  RHINT Camel-Springboot 4.0.3

Via RHSA-2024:0793 https://access.redhat.com/errata/RHSA-2024:0793

Comment 7 errata-xmlrpc 2024-02-15 12:55:33 UTC

This issue has been addressed in the following products:

  RHOSS-1.31-RHEL-8

Via RHSA-2024:0843 https://access.redhat.com/errata/RHSA-2024:0843

Comment 10 errata-xmlrpc 2024-05-21 14:18:40 UTC

This issue has been addressed in the following products:

  Red Hat JBoss AMQ

Via RHSA-2024:2945 https://access.redhat.com/errata/RHSA-2024:2945

Comment 11 errata-xmlrpc 2024-05-23 22:46:33 UTC

This issue has been addressed in the following products:

  Red Hat Fuse 7.13.0

Via RHSA-2024:3354 https://access.redhat.com/errata/RHSA-2024:3354

Note You need to log in before you can comment on or make changes to this bug.

adupliak
aileenc
anstephe
asoldano
ataylor
avibelli
bbaranow
bgeorges
bmaxwell
boliveir
brian.stansberry
ccranfor
cdewolf
chazlett
chfoley
clement.escoffier
cmiranda
cmoulliard
csutherl
dandread
darran.lofthouse
dhanak
dkreling
dosoudil
drichtar
dsimansk
fjuma
fmariani
gmalinko
gsmet
ibek
ikanello
ivassile
iweiss
janstey
jcantril
jcechace
jclere
jmartisk
jpechane
jpoth
jrokos
jross
jscholz
kingland
kverlaen
lgao
lthon
matzew
max.andersen
mmadzin
mnovotny
mosmerov
msochure
mstefank
msvehla
mulliken
nwallace
olubyans
pcongius
pdelbell
pdrozd
peholase
periklis
pgallagh
pierdipi
pjindal
pmackay
probinso
pskopek
rguimara
rhuss
rjohnson
rkieley
rowaters
rruss
rstancel
rsvoboda
saroy
sbiarozk
sdouglas
skontopo
smaestri
sthorger
swoodman
szappis
tcunning
tom.jenkinson
tqvarnst
yfang