Bug#893684: libslf4j-java: CVE-2018-8088: Deserialisation vulnerability in EventData constructor can allow for arbitrary code execution
Salvatore Bonaccorso
carnil at debian.org
Wed Mar 21 06:58:19 UTC 2018
Source: libslf4j-java
Version: 1.7.25-1
Severity: grave
Tags: security upstream
Justification: user security hole
Forwarded: https://jira.qos.ch/browse/SLF4J-430
Control: found -1 1.7.7-1
Hi,
the following vulnerability was published for libslf4j-java.
CVE-2018-8088[0]:
| org.slf4j.ext.EventData in the slf4j-ext module in QOS.CH SLF4J before
| 1.8.0-beta2 allows remote attackers to bypass intended access
| restrictions via crafted data.
Unfortunately upstream does not tell us much on the security issue.
[1] itself and the subtask [2] only tells us that the EventData is
going to be marked first as deprecated (then removed) "due to a
security vulnerability" [3].
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-8088
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8088
[1] https://jira.qos.ch/browse/SLF4J-430
[2] https://jira.qos.ch/browse/SLF4J-430
[3] https://github.com/qos-ch/slf4j/commit/d2b27fba88e983f921558da27fc29b5f5d269405
Please adjust the affected versions in the BTS as needed.
that all earlier versions are affected.
Regards,
Salvatore
More information about the pkg-java-maintainers
mailing list