Red Hat Product Errata RHSA-2018:0629 - Security Advisory
Issued:
2018-04-03
Updated:
2018-04-03

RHSA-2018:0629 - Security Advisory

Synopsis

Important: Red Hat JBoss Enterprise Application Platform 7.1 security update

Type/Severity

Security Advisory: Important

Topic

An update is now available for Red Hat JBoss Enterprise Application Platform 7.1 for Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Red Hat JBoss Enterprise Application Platform is a platform for Java applications based on WildFly.

This asynchronous patch is a security update for slf4j package in Red Hat JBoss Enterprise Application Platform 7.1.

Security Fix(es):

  • An XML deserialization vulnerability was discovered in slf4j's EventData which accepts xml serialized string and can lead to arbitrary code execution. (CVE-2018-8088)

The Simple Logging Facade for Java or (SLF4J) is a simple facade for various logging APIs allowing the end-user to plug in the desired implementation at deployment time. SLF4J also allows for a gradual migration path away from Jakarta Commons Logging (JCL).

Red Hat would like to thank Chris McCown for reporting CVE-2018-8088.

Solution

Before applying this update, back up your existing Red Hat JBoss Enterprise
Application Platform installation and deployed applications.

The References section of this erratum contains a download link (you must log in to download the update).

The JBoss server process must be restarted for the update to take effect.

Affected Products

  • JBoss Enterprise Application Platform Text-Only Advisories x86_64

Fixes

  • BZ - 1548909 - CVE-2018-8088 slf4j: Deserialisation vulnerability in EventData constructor can allow for arbitrary code execution

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.