Bug 1085970 - (CVE-2018-8088) VUL-0: CVE-2018-8088: slf4j: Deserialisation vulnerability in EventData constructor can allow for arbitrary code execution
(CVE-2018-8088)
VUL-0: CVE-2018-8088: slf4j: Deserialisation vulnerability in EventData const...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/202244/
CVSSv2:NVD:CVE-2018-8088:7.5:(AV:N/A...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-03-20 08:49 UTC by Karol Babioch
Modified: 2019-05-29 08:31 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Karol Babioch 2018-03-20 08:49:48 UTC
rh#1548909

SLF4J through version 1.7.25 is vulnerable to an XML deserialisation vulnerability in the EventData constructor.

Upstream Issue:
https://jira.qos.ch/browse/SLF4J-430

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1548909
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-8088
Comment 1 Karol Babioch 2018-03-20 08:50:42 UTC
The usptream "fix": https://github.com/qos-ch/slf4j/commit/d2b27fba88e983

It's only annotating the class as deprecated, not sure whether a real fix will be available.
Comment 2 Pedro Monreal Gonzalez 2018-03-28 12:49:40 UTC
Upstream has not fixed this bug yet and marked the affected code as deprecated and to be removed without a replacement on future releases.
Comment 6 Pedro Monreal Gonzalez 2018-05-18 09:32:07 UTC
Yes, upstream will remove the affected code without a replacement and the patch would throw a warning before using it.

I just submitted the packages for:

SLE-12-SP1: https://build.suse.de/request/show/165249
Factory:    https://build.opensuse.org/request/show/610257
Comment 7 Pedro Monreal Gonzalez 2018-05-18 09:38:21 UTC
Submitted also for SLE-15:
https://build.suse.de/request/show/165305
Comment 9 Swamp Workflow Management 2018-06-05 15:00:27 UTC
This is an autogenerated message for OBS integration:
This bug (1085970) was mentioned in
https://build.opensuse.org/request/show/614315 15.0 / slf4j
Comment 10 Swamp Workflow Management 2018-06-09 13:10:36 UTC
openSUSE-SU-2018:1625-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1085970
CVE References: CVE-2018-8088
Sources used:
openSUSE Leap 15.0 (src):    slf4j-1.7.12-lp150.4.3.1
Comment 11 Swamp Workflow Management 2018-06-19 19:17:50 UTC
SUSE-SU-2018:1744-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1085970
CVE References: CVE-2018-8088
Sources used:
SUSE OpenStack Cloud 8 (src):    slf4j-1.7.12-3.3.1
SUSE Manager Server 3.1 (src):    slf4j-1.7.12-3.3.1
SUSE Manager Server 3.0 (src):    slf4j-1.7.12-3.3.1
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    slf4j-1.7.12-3.3.1
OpenStack Cloud Crowbar 8 (src):    slf4j-1.7.12-3.3.1
HPE Helion OpenStack 8 (src):    slf4j-1.7.12-3.3.1
Comment 12 Marcus Meissner 2018-07-06 05:06:35 UTC
done