CVE-2018-8088

Impact:
Important
Public Date:
2018-02-22
CWE:
CWE-502
Bugzilla:
1548909: CVE-2018-8088 slf4j: Deserialisation vulnerability in EventData constructor can allow for arbitrary code execution
An XML deserialization vulnerability was discovered in slf4j's EventData, which accepts an XML serialized string and can lead to arbitrary code execution.

Find out more about CVE-2018-8088 from the MITRE CVE dictionary dictionary and NIST NVD.

Statement

Subscription Asset Manager is now in a reduced support phase receiving only Critical impact security fixes. This issue has been rated as having a security impact of Important, and is not currently planned to be addressed in future updates.

This issue did not affect the versions of Candlepin as shipped with Red Hat Satellite 6 as Candlepin uses slf4j-api and not the affected slf4j-ext (which is not on the Candlepin classpath).

Red Hat Enterprise Virtualization Manager 4.1 is affected by this issue. Updated packages that address this issue are available through the Red Hat Enterprise Linux Server channels. Virtualization Manager hosts should be subscribed to these channels and obtain the updates via yum update.

CVSS v3 metrics

CVSS3 Base Score 8.1
CVSS3 Base Metrics CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector Network
Attack Complexity High
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality High
Integrity Impact High
Availability Impact High

Red Hat Security Errata

Platform Errata Release Date
Red Hat JBoss Operations Network 3.3 RHSA-2018:2930 2018-10-16
Red Hat JBoss Enterprise Application Platform 6 for RHEL 5 Server RHSA-2018:1450 2018-05-14
Red Hat Software Collections for Red Hat Enterprise Linux 7 (rh-maven35-slf4j) RHSA-2018:0582 2018-03-26
Red Hat JBoss Enterprise Application Platform 6.4 RHSA-2018:1447 2018-05-14
Red Hat JBoss Enterprise Application Platform 6.4 RHSA-2018:0630 2018-04-03
Red Hat JBoss Enterprise Application Platform 6 for RHEL 6 Server RHSA-2018:1449 2018-05-14
Red Hat Enterprise Linux 7 (slf4j) RHSA-2018:0592 2018-03-26
Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server RHSA-2018:1248 2018-04-25
Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server (eap7-jboss-ec2-eap) RHSA-2018:1249 2018-04-25
Red Hat JBoss Enterprise Application Platform 6.3 for RHEL 7 Server (slf4j-eap6) RHSA-2018:0627 2018-04-03
Red Hat JBoss BRMS 6.4 RHSA-2018:2420 2018-08-15
Red Hat JBoss BRMS 7.0 RHSA-2018:2143 2018-07-05
Red Hat JBoss EAP 7.1 RHSA-2018:1251 2018-04-25
Red Hat JBoss Enterprise Application Platform 6.3 for RHEL 7 Server RHSA-2018:1448 2018-05-14
Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server (eap7-slf4j) RHSA-2018:0628 2018-04-03
Red Hat JBoss Data Grid 7.2 RHSA-2018:1575 2018-05-16
Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server RHSA-2018:1247 2018-04-25
Red Hat Virtualization 4 Management Agent for RHEL 7 Hosts (rhvm-appliance) RHSA-2018:1525 2018-05-15
Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server (eap7-jboss-ec2-eap) RHSA-2018:1249 2018-04-25
Red Hat JBoss Enterprise Application Platform 6 for RHEL 6 Server (slf4j-eap6) RHSA-2018:0627 2018-04-03
Red Hat JBoss Enterprise Application Platform 6 for RHEL 6 Server (jboss-ec2-eap) RHSA-2018:1451 2018-05-14
Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server (eap7-slf4j) RHSA-2018:0628 2018-04-03
Red Hat Single Sign-On 7.2 RHSA-2018:1323 2018-05-04
Red Hat JBoss Enterprise Application Platform 6 for RHEL 5 Server (slf4j-eap6) RHSA-2018:0627 2018-04-03
Red Hat JBoss BPMS 6.4 RHSA-2018:2419 2018-08-15
Red Hat JBoss Fuse 7 RHSA-2018:2669 2018-09-11
Red Hat JBoss EAP 7.1 RHSA-2018:0629 2018-04-03

Affected Packages State

Platform Package State
Red Hat Virtualization 4 jboss Affected
Red Hat Subscription Asset Manager 1 slf4j Will not fix
Red Hat Software Collections for Red Hat Enterprise Linux rh-java-common-slf4j Not affected
Red Hat Single Sign-On 7 slf4j Affected
Red Hat Satellite 6 slf4j Not affected
Red Hat Satellite 6 spacewalk-slf4j Not affected
Red Hat OpenStack Platform 9.0 slf4j-api Not affected
Red Hat OpenStack Platform 8.0 (Liberty) slf4j-api Not affected
Red Hat OpenStack Platform 13.0 (Queens) slf4j-api Not affected
Red Hat OpenStack Platform 12.0 slf4j-api Not affected
Red Hat OpenStack Platform 11.0 (Ocata) slf4j-api Not affected
Red Hat OpenStack Platform 10 slf4j-api Not affected
Red Hat OpenShift Application Runtimes 1.0 vertx Not affected
Red Hat JBoss Web Server 3 slf4j Not affected
Red Hat JBoss Portal Platform 6 slf4j Not affected
Red Hat JBoss Fuse Service Works 6 slf4j Out of support scope
Red Hat JBoss Fuse 6 slf4j Under investigation
Red Hat JBoss Enterprise SOA Platform 5 slf4j Will not fix
Red Hat JBoss EAP 5 slf4j Out of support scope
Red Hat JBoss Data Virtualization 6 slf4j Affected
Red Hat JBoss Data Grid 6 slf4j Not affected
Red Hat JBoss BRMS 5 slf4j Not affected
Red Hat JBoss A-MQ 6 slf4j Under investigation
Red Hat Enterprise Linux 8 slf4j Not affected
Red Hat Enterprise Linux 6 slf4j Will not fix

Acknowledgements

Red Hat would like to thank Chris McCown for reporting this issue.
Last Modified