Bug 1548909 (CVE-2018-8088) - CVE-2018-8088 slf4j: Deserialisation vulnerability in EventData constructor can allow for arbitrary code execution
Summary: CVE-2018-8088 slf4j: Deserialisation vulnerability in EventData constructor c...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2018-8088
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1549387 1549388 1549389 1549390 1549391 1549928 1549929 1549930 1550336 1550337 1551840 1551843 1551844 1551845 1551846 1551848 1551849 1551850 1551851 1585897 1708498
Blocks: 1548912
TreeView+ depends on / blocked
 
Reported: 2018-02-26 01:02 UTC by Sam Fowler
Modified: 2021-02-17 00:46 UTC (History)
134 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
An XML deserialization vulnerability was discovered in slf4j's EventData, which accepts an XML serialized string and can lead to arbitrary code execution.
Clone Of:
Environment:
Last Closed: 2019-06-08 03:41:14 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:0582 0 None None None 2018-03-26 09:29:44 UTC
Red Hat Product Errata RHSA-2018:0592 0 None None None 2018-03-26 19:52:43 UTC
Red Hat Product Errata RHSA-2018:0627 0 None None None 2018-04-03 18:36:56 UTC
Red Hat Product Errata RHSA-2018:0628 0 None None None 2018-04-03 18:35:14 UTC
Red Hat Product Errata RHSA-2018:0629 0 None None None 2018-04-03 18:21:13 UTC
Red Hat Product Errata RHSA-2018:0630 0 None None None 2018-04-03 18:22:27 UTC
Red Hat Product Errata RHSA-2018:1247 0 None None None 2018-04-25 18:24:44 UTC
Red Hat Product Errata RHSA-2018:1248 0 None None None 2018-04-25 18:21:56 UTC
Red Hat Product Errata RHSA-2018:1249 0 None None None 2018-04-25 18:36:01 UTC
Red Hat Product Errata RHSA-2018:1251 0 None None None 2018-04-25 19:44:40 UTC
Red Hat Product Errata RHSA-2018:1323 0 None None None 2018-05-04 14:33:51 UTC
Red Hat Product Errata RHSA-2018:1447 0 None None None 2018-05-14 20:17:05 UTC
Red Hat Product Errata RHSA-2018:1448 0 None None None 2018-05-14 20:35:30 UTC
Red Hat Product Errata RHSA-2018:1449 0 None None None 2018-05-14 20:40:01 UTC
Red Hat Product Errata RHSA-2018:1450 0 None None None 2018-05-14 20:44:07 UTC
Red Hat Product Errata RHSA-2018:1451 0 None None None 2018-05-14 20:51:51 UTC
Red Hat Product Errata RHSA-2018:1525 0 None None None 2018-05-15 18:59:35 UTC
Red Hat Product Errata RHSA-2018:1575 0 None None None 2018-05-16 15:45:29 UTC
Red Hat Product Errata RHSA-2018:2143 0 None None None 2018-07-05 15:29:15 UTC
Red Hat Product Errata RHSA-2018:2419 0 None None None 2018-08-15 07:42:22 UTC
Red Hat Product Errata RHSA-2018:2420 0 None None None 2018-08-15 07:43:24 UTC
Red Hat Product Errata RHSA-2018:2669 0 None None None 2018-09-11 07:54:43 UTC
Red Hat Product Errata RHSA-2018:2930 0 None None None 2018-10-16 17:06:29 UTC
Red Hat Product Errata RHSA-2019:2413 0 None None None 2019-08-08 10:08:38 UTC
Red Hat Product Errata RHSA-2019:3140 0 None None None 2019-10-17 14:54:47 UTC
Red Hat Product Errata RHSA-2020:2561 0 None None None 2020-06-15 16:09:28 UTC

Description Sam Fowler 2018-02-26 01:02:57 UTC 
SLF4J through version 1.7.25 is vulnerable to an XML deserialisation vulnerability in the EventData constructor.


Upstream Issue:

https://jira.qos.ch/browse/SLF4J-430
Comment 1 Sam Fowler 2018-02-26 01:03:37 UTC 
Acknowledgments:

Name: Chris McCown
Comment 4 Summer Long 2018-02-28 04:57:00 UTC 
Created slf4j tracking bugs for this issue:

Affects: fedora-all [bug 1549928]


Created slf4j-jboss-logmanager tracking bugs for this issue:

Affects: fedora-all [bug 1549929]
Comment 14 Kunjan Rathod 2018-03-21 23:54:34 UTC 
The vulnerable code appears to be https://github.com/qos-ch/slf4j/blob/c960e8630cdf0ec4a6c5ea687ebe536e9e43ab68/slf4j-ext/src/main/java/org/slf4j/ext/EventData.java#L80, and it is not shipped in Vertx-3. Hence marking it as not affected.
Comment 15 Jason Shepherd 2018-03-21 23:56:52 UTC 
Upstream have not fixed this issue yet. So I'm removing the fixed-in version value from this bug.

Ref: https://github.com/qos-ch/slf4j/blob/master/slf4j-ext/src/main/java/org/slf4j/ext/EventData.java
Comment 18 errata-xmlrpc 2018-03-26 09:29:05 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS

Via RHSA-2018:0582 https://access.redhat.com/errata/RHSA-2018:0582
Comment 19 errata-xmlrpc 2018-03-26 19:51:52 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:0592 https://access.redhat.com/errata/RHSA-2018:0592
Comment 20 Doran Moppert 2018-04-03 07:05:21 UTC 
Statement:

Subscription Asset Manager is now in a reduced support phase receiving only Critical impact security fixes. This issue has been rated as having a security impact of Important, and is not currently planned to be addressed in future updates.

This issue did not affect the versions of Candlepin as shipped with Red Hat Satellite 6 as Candlepin uses slf4j-api and not the affected slf4j-ext (which is not on the Candlepin classpath).

Red Hat Enterprise Virtualization Manager 4.1 is affected by this issue. Updated packages that address this issue are available through the Red Hat Enterprise Linux Server channels. Virtualization Manager hosts should be subscribed to these channels and obtain the updates via `yum update`.
Comment 21 errata-xmlrpc 2018-04-03 18:20:37 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2018:0629 https://access.redhat.com/errata/RHSA-2018:0629
Comment 22 errata-xmlrpc 2018-04-03 18:21:49 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2018:0630 https://access.redhat.com/errata/RHSA-2018:0630
Comment 23 errata-xmlrpc 2018-04-03 18:34:37 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6
  Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7

Via RHSA-2018:0628 https://access.redhat.com/errata/RHSA-2018:0628
Comment 24 errata-xmlrpc 2018-04-03 18:36:21 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7
  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 5
  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6

Via RHSA-2018:0627 https://access.redhat.com/errata/RHSA-2018:0627
Comment 26 errata-xmlrpc 2018-04-25 18:21:14 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6

Via RHSA-2018:1248 https://access.redhat.com/errata/RHSA-2018:1248
Comment 27 errata-xmlrpc 2018-04-25 18:24:03 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7

Via RHSA-2018:1247 https://access.redhat.com/errata/RHSA-2018:1247
Comment 28 errata-xmlrpc 2018-04-25 18:35:23 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7
  Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6

Via RHSA-2018:1249 https://access.redhat.com/errata/RHSA-2018:1249
Comment 29 errata-xmlrpc 2018-04-25 19:44:00 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2018:1251 https://access.redhat.com/errata/RHSA-2018:1251
Comment 30 Chess Hazlett 2018-05-03 01:53:58 UTC 
SOA-P is reduced (critical only) support, marked WONTFIX
Comment 32 errata-xmlrpc 2018-05-04 14:33:16 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.2.2 zip

Via RHSA-2018:1323 https://access.redhat.com/errata/RHSA-2018:1323
Comment 33 errata-xmlrpc 2018-05-14 20:16:32 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2018:1447 https://access.redhat.com/errata/RHSA-2018:1447
Comment 34 errata-xmlrpc 2018-05-14 20:34:56 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7

Via RHSA-2018:1448 https://access.redhat.com/errata/RHSA-2018:1448
Comment 35 errata-xmlrpc 2018-05-14 20:39:17 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6

Via RHSA-2018:1449 https://access.redhat.com/errata/RHSA-2018:1449
Comment 36 errata-xmlrpc 2018-05-14 20:43:32 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 5

Via RHSA-2018:1450 https://access.redhat.com/errata/RHSA-2018:1450
Comment 37 errata-xmlrpc 2018-05-14 20:51:17 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6

Via RHSA-2018:1451 https://access.redhat.com/errata/RHSA-2018:1451
Comment 38 errata-xmlrpc 2018-05-15 18:59:03 UTC 
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for RHEL-7

Via RHSA-2018:1525 https://access.redhat.com/errata/RHSA-2018:1525
Comment 39 errata-xmlrpc 2018-05-16 15:44:58 UTC 
This issue has been addressed in the following products:

  Red Hat Data Grid

Via RHSA-2018:1575 https://access.redhat.com/errata/RHSA-2018:1575
Comment 42 errata-xmlrpc 2018-07-05 15:28:24 UTC 
This issue has been addressed in the following products:

  Red Hat Decision Manager

Via RHSA-2018:2143 https://access.redhat.com/errata/RHSA-2018:2143
Comment 43 errata-xmlrpc 2018-08-15 07:41:44 UTC 
This issue has been addressed in the following products:

  Red Hat Process Automation

Via RHSA-2018:2419 https://access.redhat.com/errata/RHSA-2018:2419
Comment 44 errata-xmlrpc 2018-08-15 07:42:01 UTC 
This issue has been addressed in the following products:

  Red Hat Decision Manager

Via RHSA-2018:2420 https://access.redhat.com/errata/RHSA-2018:2420
Comment 45 errata-xmlrpc 2018-08-15 07:42:48 UTC 
This issue has been addressed in the following products:

  Red Hat Decision Manager

Via RHSA-2018:2420 https://access.redhat.com/errata/RHSA-2018:2420
Comment 46 errata-xmlrpc 2018-09-11 07:54:11 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Fuse

Via RHSA-2018:2669 https://access.redhat.com/errata/RHSA-2018:2669
Comment 47 errata-xmlrpc 2018-10-16 17:05:52 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Operations Network

Via RHSA-2018:2930 https://access.redhat.com/errata/RHSA-2018:2930
Comment 50 Joshua Padman 2019-05-15 22:44:12 UTC 
This vulnerability is out of security support scope for the following product:
 * Red Hat Enterprise Application Platform 5

Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
Comment 52 errata-xmlrpc 2019-08-08 10:08:34 UTC 
This issue has been addressed in the following products:

  Red Hat Fuse 7.4.0

Via RHSA-2019:2413 https://access.redhat.com/errata/RHSA-2019:2413
Comment 53 errata-xmlrpc 2019-10-17 14:54:43 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Data Virtualization 6.4.8

Via RHSA-2019:3140 https://access.redhat.com/errata/RHSA-2019:3140
Comment 56 errata-xmlrpc 2020-06-15 16:09:21 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2020:2561 https://access.redhat.com/errata/RHSA-2020:2561
Note You need to log in before you can comment on or make changes to this bug.