SLF4J 'EventData' Constructor Remote Code Execution Vulnerability
BID:103737
CVE-2018-8088 |Info
SLF4J 'EventData' Constructor Remote Code Execution Vulnerability
| Bugtraq ID: | 103737 |
| Class: | Input Validation Error |
| CVE: |
CVE-2018-8088 |
| Remote: | Yes |
| Local: | No |
| Published: | Feb 22 2018 12:00AM |
| Updated: | Apr 18 2019 11:00AM |
| Credit: | Chris McCown |
| Vulnerable: |
Redhat Subscription Asset Manager 1 Redhat Software Collections for RHEL 0 Redhat Software Collections 1 for RHEL 7 0 Redhat Software Collections 1 for RHEL 7.3 Redhat Redhat JBoss Enterprise Application Platform (for RHEL 7) 7.1 Redhat Redhat JBoss Enterprise Application Platform (for RHEL 6) 7.1 Redhat JBoss Enterprise Application Platform 6 for RHEL 7 Server 0 Redhat JBoss Enterprise Application Platform 6 for RHEL 6 Server 0 Redhat JBoss Enterprise Application Platform 6 for RHEL 5 Server 0 Redhat JBoss Enterprise Application Platform (for RHEL 7) 7.0 Redhat JBoss Enterprise Application Platform (for RHEL 7) 6.4 Redhat JBoss Enterprise Application Platform (for RHEL 7) 6.3 Redhat JBoss Enterprise Application Platform (for RHEL 6) 7.0 Redhat JBoss Enterprise Application Platform (for RHEL 6) 6.4 Redhat JBoss Enterprise Application Platform (for RHEL 5) 6.4 Redhat JBoss Enterprise Application Platform 6.4 Redhat Jboss EAP 7.1 Redhat Enterprise Linux 7 Redhat Enterprise Linux 6 QOS.ch SLF4J 1.7.25 QOS.ch SLF4J 1.7.24 QOS.ch SLF4J 1.7.23 QOS.ch SLF4J 1.7.22 QOS.ch SLF4J 1.7.21 QOS.ch SLF4J 1.7.20 QOS.ch SLF4J 1.7.19 QOS.ch SLF4J 1.7.18 QOS.ch SLF4J 1.7.16 QOS.ch SLF4J 1.7.15 QOS.ch SLF4J 1.7.10 QOS.ch SLF4J 1.7.5 QOS.ch SLF4J 1.7 Oracle Utilities Framework 4.4.0.0.0 Oracle Utilities Framework 4.3.0.5.0 Oracle Utilities Framework 4.3.0.4 Oracle Utilities Framework 4.3.0.3.0 Oracle Utilities Framework 4.3.0.2.0 Oracle Utilities Framework 4.2.0.3.0 Oracle Utilities Framework 4.2.0.2.0 Oracle Linux 7.0 Oracle Linux 7 |
| Not Vulnerable: |
QOS.ch SLF4J 1.8.0-Beta2 |
Discussion
SLF4J 'EventData' Constructor Remote Code Execution Vulnerability
SLF4J is prone to remote code-execution vulnerability.
Successfully exploiting this issue allows attackers to execute arbitrary code in the context of the affected application. Failed exploits will result in denial-of-service conditions.
Versions prior to SLF4J 1.8.0-beta2 are vulnerable.
SLF4J is prone to remote code-execution vulnerability.
Successfully exploiting this issue allows attackers to execute arbitrary code in the context of the affected application. Failed exploits will result in denial-of-service conditions.
Versions prior to SLF4J 1.8.0-beta2 are vulnerable.
Exploit / POC
SLF4J 'EventData' Constructor Remote Code Execution Vulnerability
Currently, we are not aware of any working exploits. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected].
Currently, we are not aware of any working exploits. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected].
Solution / Fix
SLF4J 'EventData' Constructor Remote Code Execution Vulnerability
Solution:
Updates are available. Please see the references or vendor advisory for more information.
Solution:
Updates are available. Please see the references or vendor advisory for more information.
References
SLF4J 'EventData' Constructor Remote Code Execution Vulnerability
References:
References:
- Bug 1548909 - (CVE-2018-8088) CVE-2018-8088 slf4j: Deserialisation vulnerability (Red Hat Bugzilla)
- CVE-2018-8088 (Red Hat Bugzilla)
- Remove org.slf4j.ext.EventData due to security issue (SLF4J)
- SLF4J Home Page (SLF4J)
- Oracle Critical Patch Update Advisory - April 2019 (Oracle)
- Oracle Linux Bulletin - April 2018 (Oracle)