ID CVE-2018-8088
Summary org.slf4j.ext.EventData in the slf4j-ext module in QOS.CH SLF4J before 1.8.0-beta2 allows remote attackers to bypass intended access restrictions via crafted data.
References
Vulnerable Configurations
  • SLF4J slf4j-ext 1.7.25
    cpe:2.3:a:slf4j:slf4j-ext:1.7.25
  • SLF4J slf4j-ext 1.8.0 Alpha0
    cpe:2.3:a:slf4j:slf4j-ext:1.8.0:alpha0
  • SLF4J slf4j-ext 1.8.0 Alpha1
    cpe:2.3:a:slf4j:slf4j-ext:1.8.0:alpha1
  • SLF4J slf4j-ext 1.8.0 Alpha2
    cpe:2.3:a:slf4j:slf4j-ext:1.8.0:alpha2
  • SLF4J slf4j-ext 1.8.0 Beta0
    cpe:2.3:a:slf4j:slf4j-ext:1.8.0:beta0
  • SLF4J slf4j-ext 1.8.0 Beta1
    cpe:2.3:a:slf4j:slf4j-ext:1.8.0:beta1
  • Red Hat JBoss Enterprise Application Platform (EAP) 7.1
    cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.1
  • Red Hat Enterprise Linux 6.0
    cpe:2.3:o:redhat:enterprise_linux:6.0
  • Red Hat Enterprise Linux (RHEL) 7.0 (7)
    cpe:2.3:o:redhat:enterprise_linux:7.0
  • Red Hat JBoss Enterprise Application Platform (EAP) 6.0.0
    cpe:2.3:a:redhat:jboss_enterprise_application_platform:6.0.0
  • Red Hat JBoss Enterprise Application Platform (EAP) 6.4.0
    cpe:2.3:a:redhat:jboss_enterprise_application_platform:6.4.0
  • Red Hat Enterprise Linux 5.0
    cpe:2.3:o:redhat:enterprise_linux:5.0
  • Red Hat Enterprise Linux 6.0
    cpe:2.3:o:redhat:enterprise_linux:6.0
  • Red Hat Enterprise Linux (RHEL) 7.0 (7)
    cpe:2.3:o:redhat:enterprise_linux:7.0
  • RedHat Enterprise Linux Desktop 7.0
    cpe:2.3:o:redhat:enterprise_linux_desktop:7.0
  • RedHat Enterprise Linux Server 7.0
    cpe:2.3:o:redhat:enterprise_linux_server:7.0
  • RedHat Enterprise Linux Workstation 7.0
    cpe:2.3:o:redhat:enterprise_linux_workstation:7.0
  • Oracle Utilities Framework 4.2.0.2.0
    cpe:2.3:a:oracle:utilities_framework:4.2.0.2.0
  • Oracle Utilities Framework 4.2.0.3.0
    cpe:2.3:a:oracle:utilities_framework:4.2.0.3.0
  • Oracle Utilities Framework 4.3.0.2.0
    cpe:2.3:a:oracle:utilities_framework:4.3.0.2.0
  • Oracle Utilities Framework 4.3.0.3.0
    cpe:2.3:a:oracle:utilities_framework:4.3.0.3.0
  • Oracle Utilities Framework 4.3.0.4.0
    cpe:2.3:a:oracle:utilities_framework:4.3.0.4.0
  • Oracle Utilities Framework 4.3.0.5.0
    cpe:2.3:a:oracle:utilities_framework:4.3.0.5.0
  • Oracle Utilities Framework 4.3.0.6.0
    cpe:2.3:a:oracle:utilities_framework:4.3.0.6.0
  • Oracle Utilities Framework 4.4.0.0.0
    cpe:2.3:a:oracle:utilities_framework:4.4.0.0.0
CVSS
Base: 7.5
Impact:
Exploitability:
CWE CWE-502
CAPEC
nessus via4
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2018-1248.NASL
    description Updated packages that provide Red Hat JBoss Enterprise Application Platform 7.1.2 and fix several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Red Hat JBoss Enterprise Application Platform is a platform for Java applications based on the JBoss Application Server. This release of Red Hat JBoss Enterprise Application Platform 7.1.2 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.1.1, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Security Fix(es) : * undertow: HTTP header injection using CRLF with UTF-8 Encoding (incomplete fix of CVE-2016-4993) (CVE-2018-1067) * wildfly-undertow: undertow: Path traversal in ServletResourceManager class (CVE-2018-1047) * slf4j: Deserialisation vulnerability in EventData constructor can allow for arbitrary code execution (CVE-2018-8088) Red Hat would like to thank Ammarit Thongthua and Nattakit Intarasorn (Deloitte Thailand Pentest team) for reporting CVE-2018-1067, and Chris McCown for reporting CVE-2018-8088. For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 109389
    published 2018-04-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=109389
    title RHEL 6 : JBoss EAP (RHSA-2018:1248)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2018-1249.NASL
    description An update for eap7-jboss-ec2-eap is now available for Red Hat JBoss Enterprise Application Platform 7.1.2 for Red Hat Enterprise Linux 6 and Red Hat JBoss Enterprise Application Platform 7.1.2 for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The eap7-jboss-ec2-eap packages provide scripts for Red Hat JBoss Enterprise Application Platform running on the Amazon Web Services (AWS) Elastic Compute Cloud (EC2). With this update, the eap7-jboss-ec2-eap package has been updated to ensure compatibility with Red Hat JBoss Enterprise Application Platform 7.1.2. Refer to the JBoss Enterprise Application Platform 7.1 Release Notes, linked to in the References section, for information on the most significant bug fixes and enhancements included in this release. Security Fix(es) : * undertow: HTTP header injection using CRLF with UTF-8 Encoding (incomplete fix of CVE-2016-4993) (CVE-2018-1067) * wildfly-undertow: undertow: Path traversal in ServletResourceManager class (CVE-2018-1047) * slf4j: Deserialisation vulnerability in EventData constructor can allow for arbitrary code execution (CVE-2018-8088) Red Hat would like to thank Ammarit Thongthua and Nattakit Intarasorn (Deloitte Thailand Pentest team) for reporting CVE-2018-1067, and Chris McCown for reporting CVE-2018-8088. For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 109390
    published 2018-04-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=109390
    title RHEL 6 / 7 : JBoss EAP (RHSA-2018:1249)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2018-1449.NASL
    description An update is now available for Red Hat JBoss Enterprise Application Platform 6.4 for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Red Hat JBoss Enterprise Application Platform is a platform for Java applications based on the JBoss Application Server. This release of Red Hat JBoss Enterprise Application Platform 6.4.20 serves as a replacement for Red Hat JBoss Enterprise Application Platform 6.4.19, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Security Fix(es) : * jackson-databind: Unsafe deserialization due to incomplete black list (incomplete fix for CVE-2017-7525) (CVE-2017-15095) * jackson-databind: Unsafe deserialization due to incomplete black list (incomplete fix for CVE-2017-15095) (CVE-2017-17485) * slf4j: Deserialisation vulnerability in EventData constructor can allow for arbitrary code execution (CVE-2018-8088) * Apache ActiveMQ Artemis: Deserialization of untrusted input vulnerability (CVE-2016-4978) * solr: Directory traversal via Index Replication HTTP API (CVE-2017-3163) * tomcat: Incorrect handling of empty string URL in security constraints can lead to unintended exposure of resources (CVE-2018-1304) * jackson-databind: incomplete fix for CVE-2017-7525 permits unsafe serialization via c3p0 libraries (CVE-2018-7489) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Red Hat would like to thank Liao Xinxi (NSFOCUS) for reporting CVE-2017-15095; 0c0c0f from 360Guan Xing Shi Yan Shi for reporting CVE-2017-17485; and Chris McCown for reporting CVE-2018-8088.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 109906
    published 2018-05-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=109906
    title RHEL 6 : JBoss EAP (RHSA-2018:1449)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2018-1247.NASL
    description Updated packages that provide Red Hat JBoss Enterprise Application Platform 7.1.2 and fix several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Red Hat JBoss Enterprise Application Platform is a platform for Java applications based on the JBoss Application Server. This release of Red Hat JBoss Enterprise Application Platform 7.1.2 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.1.1, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Security Fix(es) : * undertow: HTTP header injection using CRLF with UTF-8 Encoding (incomplete fix of CVE-2016-4993) (CVE-2018-1067) * wildfly-undertow: undertow: Path traversal in ServletResourceManager class (CVE-2018-1047) * slf4j: Deserialisation vulnerability in EventData constructor can allow for arbitrary code execution (CVE-2018-8088) Red Hat would like to thank Ammarit Thongthua and Nattakit Intarasorn (Deloitte Thailand Pentest team) for reporting CVE-2018-1067, and Chris McCown for reporting CVE-2018-8088. For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 109388
    published 2018-04-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=109388
    title RHEL 7 : JBoss EAP (RHSA-2018:1247)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2018-1451.NASL
    description An update for jboss-ec2-eap is now available for Red Hat JBoss Enterprise Application Platform 6.4 for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The jboss-ec2-eap packages provide scripts for Red Hat JBoss Enterprise Application Platform running on the Amazon Web Services (AWS) Elastic Compute Cloud (EC2). With this update, the jboss-ec2-eap package has been updated to ensure compatibility with Red Hat JBoss Enterprise Application Platform 6.4.19. Security Fix(es) : * jackson-databind: Unsafe deserialization due to incomplete black list (incomplete fix for CVE-2017-7525) (CVE-2017-15095) * jackson-databind: Unsafe deserialization due to incomplete black list (incomplete fix for CVE-2017-15095) (CVE-2017-17485) * slf4j: Deserialisation vulnerability in EventData constructor can allow for arbitrary code execution (CVE-2018-8088) * Apache ActiveMQ Artemis: Deserialization of untrusted input vulnerability (CVE-2016-4978) * solr: Directory traversal via Index Replication HTTP API (CVE-2017-3163) * tomcat: Incorrect handling of empty string URL in security constraints can lead to unintended exposure of resources (CVE-2018-1304) * jackson-databind: incomplete fix for CVE-2017-7525 permits unsafe serialization via c3p0 libraries (CVE-2018-7489) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Red Hat would like to thank Liao Xinxi (NSFOCUS) for reporting CVE-2017-15095; 0c0c0f from 360Guan Xing Shi Yan Shi for reporting CVE-2017-17485; and Chris McCown for reporting CVE-2018-8088.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 109838
    published 2018-05-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=109838
    title RHEL 6 : eap6-jboss-ec2-eap (RHSA-2018:1451)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2018-1525.NASL
    description An update for rhvm-appliance is now available for Red Hat Virtualization 4 for RHEL 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The RHV-M Virtual Appliance automates the process of installing and configuring the Red Hat Virtualization Manager. The appliance is available to download as an OVA file from the Customer Portal. The following packages have been upgraded to a later upstream version: rhvm-appliance (4.2). (BZ#1558801, BZ#1563545) Security Fix(es) : * python-paramiko: Authentication bypass in transport.py (CVE-2018-7750) * slf4j: Deserialisation vulnerability in EventData constructor can allow for arbitrary code execution (CVE-2018-8088) * undertow: Client can use bogus uri in Digest authentication (CVE-2017-12196) * jackson-databind: unsafe deserialization due to incomplete blacklist (incomplete fix for CVE-2017-7525 and CVE-2017-17485) (CVE-2018-5968) * ovirt-engine: account enumeration through login to web console (CVE-2018-1073) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Red Hat would like to thank Chris McCown for reporting CVE-2018-8088. The CVE-2017-12196 issue was discovered by Jan Stourac (Red Hat). Enhancement(s) : * Previously, the default memory allotment for the RHV-M Virtual Appliance was always large enough to include support for user additions. In this release, the RHV-M Virtual Appliance includes a swap partition that enables the memory to be increased when required. (BZ#1422982) * Previously, the partitioning scheme for the RHV-M Virtual Appliance included two primary partitions, '/' and swap. In this release, the disk partitioning scheme has been modified to match the scheme specified by NIST. The updated disk partitions are as follows : /boot 1G (primary) /home 1G (lvm) /tmp 2G (lvm) /var 20G (lvm) /var/log 10G (lvm) /var/log/audit 1G (lvm) swap 8G (lvm) / 6G (primary) (BZ#1463853) * Previously, the version tag was used as part of the RPM's naming scheme, for example, '4.1.timestamp', which created differences between the upstream and downstream versioning schemes. In this release, the downstream versioning scheme is aligned with the upstream scheme and the timestamp has moved from the version tag to the release tag. (BZ#1464486)
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 109910
    published 2018-05-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=109910
    title RHEL 7 : Virtualization (RHSA-2018:1525)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2018-1448.NASL
    description An update is now available for Red Hat JBoss Enterprise Application Platform 6.4 for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Red Hat JBoss Enterprise Application Platform is a platform for Java applications based on the JBoss Application Server. This release of Red Hat JBoss Enterprise Application Platform 6.4.20 serves as a replacement for Red Hat JBoss Enterprise Application Platform 6.4.19, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Security Fix(es) : * jackson-databind: Unsafe deserialization due to incomplete black list (incomplete fix for CVE-2017-7525) (CVE-2017-15095) * jackson-databind: Unsafe deserialization due to incomplete black list (incomplete fix for CVE-2017-15095) (CVE-2017-17485) * slf4j: Deserialisation vulnerability in EventData constructor can allow for arbitrary code execution (CVE-2018-8088) * Apache ActiveMQ Artemis: Deserialization of untrusted input vulnerability (CVE-2016-4978) * solr: Directory traversal via Index Replication HTTP API (CVE-2017-3163) * tomcat: Incorrect handling of empty string URL in security constraints can lead to unintended exposure of resources (CVE-2018-1304) * jackson-databind: incomplete fix for CVE-2017-7525 permits unsafe serialization via c3p0 libraries (CVE-2018-7489) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Red Hat would like to thank Liao Xinxi (NSFOCUS) for reporting CVE-2017-15095; 0c0c0f from 360Guan Xing Shi Yan Shi for reporting CVE-2017-17485; and Chris McCown for reporting CVE-2018-8088.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 109905
    published 2018-05-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=109905
    title RHEL 7 : JBoss EAP (RHSA-2018:1448)
  • NASL family Huawei Local Security Checks
    NASL id EULEROS_SA-2018-1092.NASL
    description According to the versions of the slf4j package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - The Simple Logging Facade for Java or (SLF4J) is intended to serve as a simple facade for various logging APIs allowing to the end-user to plug in the desired implementation at deployment time. SLF4J also allows for a gradual migration path away from Jakarta Commons Logging (JCL). - Logging API implementations can either choose to implement the SLF4J interfaces directly, e.g. NLOG4J or SimpleLogger. Alternatively,it is possible (and rather easy) to write SLF4J adapters for the given API implementation, e.g. Log4jLoggerAdapter or JDK14LoggerAdapter.. - Security fix(es): - An XML deserialization vulnerability was discovered in slf4j's EventData which accepts anXML serialized string and can lead to arbitrary code execution.(CVE-2018-8088) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-13
    plugin id 109490
    published 2018-05-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=109490
    title EulerOS 2.0 SP1 : slf4j (EulerOS-SA-2018-1092)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2018-0628.NASL
    description An update is now available for Red Hat JBoss Enterprise Application Platform 7.1 for Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Red Hat JBoss Enterprise Application Platform is a platform for Java applications based on WildFly. This asynchronous patch is a security update for slf4j package in Red Hat JBoss Enterprise Application Platform 7.1. Security Fix(es) : * An XML deserialization vulnerability was discovered in slf4j's EventData which accepts xml serialized string and can lead to arbitrary code execution. (CVE-2018-8088) The Simple Logging Facade for Java or (SLF4J) is a simple facade for various logging APIs allowing the end-user to plug in the desired implementation at deployment time. SLF4J also allows for a gradual migration path away from Jakarta Commons Logging (JCL). Red Hat would like to thank Chris McCown for reporting CVE-2018-8088.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 108866
    published 2018-04-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=108866
    title RHEL 6 / 7 : JBoss EAP (RHSA-2018:0628)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2018-A46B358764.NASL
    description Security fix for CVE-2018-8088 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-09-05
    plugin id 108734
    published 2018-03-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=108734
    title Fedora 26 : slf4j (2018-a46b358764)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2018-8B0AD602BE.NASL
    description Security fix for CVE-2018-8088 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2019-01-03
    plugin id 120593
    published 2019-01-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=120593
    title Fedora 28 : slf4j (2018-8b0ad602be)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2018-0627.NASL
    description An update is now available for Red Hat JBoss Enterprise Application Platform 6.4 for Red Hat Enterprise Linux 5, Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Red Hat JBoss Enterprise Application Platform is a platform for Java applications based on the JBoss Application Server. This asynchronous patch is a security update for slf4j package in Red Hat JBoss Enterprise Application Platform 6.4. Security Fix(es) : * An XML deserialization vulnerability was discovered in slf4j's EventData which accepts xml serialized string and can lead to arbitrary code execution. (CVE-2018-8088) The Simple Logging Facade for Java or (SLF4J) is a simple facade for various logging APIs allowing the end-user to plug in the desired implementation at deployment time. SLF4J also allows for a gradual migration path away from Jakarta Commons Logging (JCL). Red Hat would like to thank Chris McCown for reporting CVE-2018-8088.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 108865
    published 2018-04-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=108865
    title RHEL 6 / 7 : JBoss EAP (RHSA-2018:0627)
  • NASL family Huawei Local Security Checks
    NASL id EULEROS_SA-2018-1093.NASL
    description According to the versions of the slf4j package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - The Simple Logging Facade for Java or (SLF4J) is intended to serve as a simple facade for various logging APIs allowing to the end-user to plug in the desired implementation at deployment time. SLF4J also allows for a gradual migration path away from Jakarta Commons Logging (JCL). - Logging API implementations can either choose to implement the SLF4J interfaces directly, e.g. NLOG4J or SimpleLogger. Alternatively,it is possible (and rather easy) to write SLF4J adapters for the given API implementation, e.g. Log4jLoggerAdapter or JDK14LoggerAdapter.. - Security fix(es): - An XML deserialization vulnerability was discovered in slf4j's EventData which accepts anXML serialized string and can lead to arbitrary code execution.(CVE-2018-8088) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-13
    plugin id 109491
    published 2018-05-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=109491
    title EulerOS 2.0 SP2 : slf4j (EulerOS-SA-2018-1093)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2018-0592.NASL
    description From Red Hat Security Advisory 2018:0592 : An update for slf4j is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The Simple Logging Facade for Java or (SLF4J) is a simple facade for various logging APIs allowing the end-user to plug in the desired implementation at deployment time. SLF4J also allows for a gradual migration path away from Jakarta Commons Logging (JCL). Security Fix(es) : * slf4j: Deserialisation vulnerability in EventData constructor can allow for arbitrary code execution (CVE-2018-8088) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Red Hat would like to thank Chris McCown for reporting this issue.
    last seen 2019-02-21
    modified 2018-09-05
    plugin id 108642
    published 2018-03-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=108642
    title Oracle Linux 7 : slf4j (ELSA-2018-0592)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2018-0592.NASL
    description An update for slf4j is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The Simple Logging Facade for Java or (SLF4J) is a simple facade for various logging APIs allowing the end-user to plug in the desired implementation at deployment time. SLF4J also allows for a gradual migration path away from Jakarta Commons Logging (JCL). Security Fix(es) : * slf4j: Deserialisation vulnerability in EventData constructor can allow for arbitrary code execution (CVE-2018-8088) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Red Hat would like to thank Chris McCown for reporting this issue.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 108644
    published 2018-03-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=108644
    title RHEL 7 : slf4j (RHSA-2018:0592)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2018-0592.NASL
    description An update for slf4j is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The Simple Logging Facade for Java or (SLF4J) is a simple facade for various logging APIs allowing the end-user to plug in the desired implementation at deployment time. SLF4J also allows for a gradual migration path away from Jakarta Commons Logging (JCL). Security Fix(es) : * slf4j: Deserialisation vulnerability in EventData constructor can allow for arbitrary code execution (CVE-2018-8088) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Red Hat would like to thank Chris McCown for reporting this issue.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 108660
    published 2018-03-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=108660
    title CentOS 7 : slf4j (CESA-2018:0592)
  • NASL family Amazon Linux Local Security Checks
    NASL id AL2_ALAS-2018-999.NASL
    description Deserialisation vulnerability in EventData constructor can allow for arbitrary code execution : An XML deserialization vulnerability was discovered in slf4j's EventData which accepts anXML serialized string and can lead to arbitrary code execution. (CVE-2018-8088)
    last seen 2019-02-21
    modified 2018-08-31
    plugin id 109181
    published 2018-04-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=109181
    title Amazon Linux 2 : slf4j (ALAS-2018-999)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20180326_SLF4J_ON_SL7_X.NASL
    description Security Fix(es) : - slf4j: Deserialisation vulnerability in EventData constructor can allow for arbitrary code execution (CVE-2018-8088)
    last seen 2019-02-21
    modified 2018-12-27
    plugin id 108645
    published 2018-03-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=108645
    title Scientific Linux Security Update : slf4j on SL7.x (noarch)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2018-A4353F97DB.NASL
    description Security fix for CVE-2018-8088 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-09-05
    plugin id 108733
    published 2018-03-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=108733
    title Fedora 27 : slf4j (2018-a4353f97db)
  • NASL family Huawei Local Security Checks
    NASL id EULEROS_SA-2018-1159.NASL
    description According to the versions of the slf4j package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - The Simple Logging Facade for Java or (SLF4J) is intended to serve as a simple facade for various logging APIs allowing to the end-user to plug in the desired implementation at deployment time. SLF4J also allows for a gradual migration path away from Jakarta Commons Logging (JCL). - Logging API implementations can either choose to implement the SLF4J interfaces directly, e.g. NLOG4J or SimpleLogger. Alternatively,it is possible (and rather easy) to write SLF4J adapters for the given API implementation, e.g. Log4jLoggerAdapter or JDK14LoggerAdapter.. - Security fix(es): - An XML deserialization vulnerability was discovered in slf4j's EventData which accepts anXML serialized string and can lead to arbitrary code execution.(CVE-2018-8088) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-13
    plugin id 110735
    published 2018-06-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=110735
    title EulerOS 2.0 SP3 : slf4j (EulerOS-SA-2018-1159)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2018-601.NASL
    description This update for slf4j fixes the following security issue : - CVE-2018-8088: Remote attackers could have bypassed intended access restrictions via crafted data. Disallow EventData deserialization by default from now on (bsc#1085970).
    last seen 2019-02-21
    modified 2018-09-04
    plugin id 110440
    published 2018-06-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=110440
    title openSUSE Security Update : slf4j (openSUSE-2018-601)
redhat via4
advisories
  • bugzilla
    id 1548909
    title CVE-2018-8088 slf4j: Deserialisation vulnerability in EventData constructor can allow for arbitrary code execution
    oval
    AND
    • OR
      • comment Red Hat Enterprise Linux 7 Client is installed
        oval oval:com.redhat.rhba:tst:20150364001
      • comment Red Hat Enterprise Linux 7 Server is installed
        oval oval:com.redhat.rhba:tst:20150364002
      • comment Red Hat Enterprise Linux 7 Workstation is installed
        oval oval:com.redhat.rhba:tst:20150364003
      • comment Red Hat Enterprise Linux 7 ComputeNode is installed
        oval oval:com.redhat.rhba:tst:20150364004
    • OR
      • AND
        • comment slf4j is earlier than 0:1.7.4-4.el7_4
          oval oval:com.redhat.rhsa:tst:20180592007
        • comment slf4j is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20180592008
      • AND
        • comment slf4j-javadoc is earlier than 0:1.7.4-4.el7_4
          oval oval:com.redhat.rhsa:tst:20180592005
        • comment slf4j-javadoc is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20180592006
      • AND
        • comment slf4j-manual is earlier than 0:1.7.4-4.el7_4
          oval oval:com.redhat.rhsa:tst:20180592009
        • comment slf4j-manual is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20180592010
    rhsa
    id RHSA-2018:0592
    released 2018-03-26
    severity Important
    title RHSA-2018:0592: slf4j security update (Important)
  • rhsa
    id RHSA-2018:0582
  • rhsa
    id RHSA-2018:0627
  • rhsa
    id RHSA-2018:0628
  • rhsa
    id RHSA-2018:0629
  • rhsa
    id RHSA-2018:0630
  • rhsa
    id RHSA-2018:1247
  • rhsa
    id RHSA-2018:1248
  • rhsa
    id RHSA-2018:1249
  • rhsa
    id RHSA-2018:1251
  • rhsa
    id RHSA-2018:1323
  • rhsa
    id RHSA-2018:1447
  • rhsa
    id RHSA-2018:1448
  • rhsa
    id RHSA-2018:1449
  • rhsa
    id RHSA-2018:1450
  • rhsa
    id RHSA-2018:1451
  • rhsa
    id RHSA-2018:1525
  • rhsa
    id RHSA-2018:1575
  • rhsa
    id RHSA-2018:2143
  • rhsa
    id RHSA-2018:2419
  • rhsa
    id RHSA-2018:2420
  • rhsa
    id RHSA-2018:2669
  • rhsa
    id RHSA-2018:2930
rpms
  • slf4j-0:1.7.4-4.el7_4
  • slf4j-javadoc-0:1.7.4-4.el7_4
  • slf4j-manual-0:1.7.4-4.el7_4
refmap via4
bid 103737
misc
mlist
  • [infra-devnull] 20190321 [GitHub] [tika] dadoonet opened pull request #268: Update slf4j to 1.8.0-beta4
  • [infra-devnull] 20190321 [GitHub] [tika] grossws commented on issue #268: Update slf4j to 1.8.0-beta4
sectrack 1040627
Last major update 20-03-2018 - 12:29
Published 20-03-2018 - 12:29
Last modified 26-04-2019 - 09:30
Back to Top