An XML deserialization vulnerability was discovered in slf4j's EventData, which accepts an XML serialized string and can lead to arbitrary code execution.
Find out more about CVE-2018-8088 from the MITRE CVE dictionary dictionary and NIST NVD.
Subscription Asset Manager is now in a reduced support phase receiving only Critical impact security fixes. This issue has been rated as having a security impact of Important, and is not currently planned to be addressed in future updates.
This issue did not affect the versions of Candlepin as shipped with Red Hat Satellite 6 as Candlepin uses slf4j-api and not the affected slf4j-ext (which is not on the Candlepin classpath).
Red Hat Enterprise Virtualization Manager 4.1 is affected by this issue. Updated packages that address this issue are available through the Red Hat Enterprise Linux Server channels. Virtualization Manager hosts should be subscribed to these channels and obtain the updates via yum update
.
CVSS3 Base Score | 8.1 |
---|---|
CVSS3 Base Metrics | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
Attack Vector | Network |
Attack Complexity | High |
Privileges Required | None |
User Interaction | None |
Scope | Unchanged |
Confidentiality | High |
Integrity Impact | High |
Availability Impact | High |
Platform | Errata | Release Date |
---|---|---|
Red Hat JBoss Operations Network 3.3 | RHSA-2018:2930 | 2018-10-16 |
Red Hat JBoss Enterprise Application Platform 6 for RHEL 5 Server | RHSA-2018:1450 | 2018-05-14 |
Red Hat Software Collections for Red Hat Enterprise Linux 7 (rh-maven35-slf4j) | RHSA-2018:0582 | 2018-03-26 |
Red Hat JBoss Enterprise Application Platform 6.4 | RHSA-2018:1447 | 2018-05-14 |
Red Hat JBoss Enterprise Application Platform 6.4 | RHSA-2018:0630 | 2018-04-03 |
Red Hat JBoss Enterprise Application Platform 6 for RHEL 6 Server | RHSA-2018:1449 | 2018-05-14 |
Red Hat Enterprise Linux 7 (slf4j) | RHSA-2018:0592 | 2018-03-26 |
Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server | RHSA-2018:1248 | 2018-04-25 |
Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server (eap7-jboss-ec2-eap) | RHSA-2018:1249 | 2018-04-25 |
Red Hat JBoss Enterprise Application Platform 6.3 for RHEL 7 Server (slf4j-eap6) | RHSA-2018:0627 | 2018-04-03 |
Red Hat JBoss BRMS 6.4 | RHSA-2018:2420 | 2018-08-15 |
Red Hat JBoss BRMS 7.0 | RHSA-2018:2143 | 2018-07-05 |
Red Hat JBoss EAP 7.1 | RHSA-2018:1251 | 2018-04-25 |
Red Hat JBoss Enterprise Application Platform 6.3 for RHEL 7 Server | RHSA-2018:1448 | 2018-05-14 |
Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server (eap7-slf4j) | RHSA-2018:0628 | 2018-04-03 |
Red Hat JBoss Data Grid 7.2 | RHSA-2018:1575 | 2018-05-16 |
Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server | RHSA-2018:1247 | 2018-04-25 |
Red Hat Virtualization 4 Management Agent for RHEL 7 Hosts (rhvm-appliance) | RHSA-2018:1525 | 2018-05-15 |
Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server (eap7-jboss-ec2-eap) | RHSA-2018:1249 | 2018-04-25 |
Red Hat JBoss Enterprise Application Platform 6 for RHEL 6 Server (slf4j-eap6) | RHSA-2018:0627 | 2018-04-03 |
Red Hat JBoss Enterprise Application Platform 6 for RHEL 6 Server (jboss-ec2-eap) | RHSA-2018:1451 | 2018-05-14 |
Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server (eap7-slf4j) | RHSA-2018:0628 | 2018-04-03 |
Red Hat Single Sign-On 7.2 | RHSA-2018:1323 | 2018-05-04 |
Red Hat JBoss Enterprise Application Platform 6 for RHEL 5 Server (slf4j-eap6) | RHSA-2018:0627 | 2018-04-03 |
Red Hat JBoss BPMS 6.4 | RHSA-2018:2419 | 2018-08-15 |
Red Hat JBoss Fuse 7 | RHSA-2018:2669 | 2018-09-11 |
Red Hat JBoss EAP 7.1 | RHSA-2018:0629 | 2018-04-03 |
Platform | Package | State |
---|---|---|
Red Hat Virtualization 4 | jboss | Affected |
Red Hat Subscription Asset Manager 1 | slf4j | Will not fix |
Red Hat Software Collections for Red Hat Enterprise Linux | rh-java-common-slf4j | Not affected |
Red Hat Single Sign-On 7 | slf4j | Affected |
Red Hat Satellite 6 | slf4j | Not affected |
Red Hat Satellite 6 | spacewalk-slf4j | Not affected |
Red Hat OpenStack Platform 9.0 | slf4j-api | Not affected |
Red Hat OpenStack Platform 8.0 (Liberty) | slf4j-api | Not affected |
Red Hat OpenStack Platform 13.0 (Queens) | slf4j-api | Not affected |
Red Hat OpenStack Platform 12.0 | slf4j-api | Not affected |
Red Hat OpenStack Platform 11.0 (Ocata) | slf4j-api | Not affected |
Red Hat OpenStack Platform 10 | slf4j-api | Not affected |
Red Hat OpenShift Application Runtimes 1.0 | vertx | Not affected |
Red Hat JBoss Web Server 3 | slf4j | Not affected |
Red Hat JBoss Portal Platform 6 | slf4j | Not affected |
Red Hat JBoss Fuse Service Works 6 | slf4j | Under investigation |
Red Hat JBoss Fuse 6 | slf4j | Under investigation |
Red Hat JBoss Enterprise SOA Platform 5 | slf4j | Will not fix |
Red Hat JBoss EAP 5 | slf4j | Under investigation |
Red Hat JBoss Data Virtualization 6 | slf4j | Under investigation |
Red Hat JBoss Data Grid 6 | slf4j | Not affected |
Red Hat JBoss BRMS 5 | slf4j | Not affected |
Red Hat JBoss A-MQ 6 | slf4j | Under investigation |
Red Hat Enterprise Linux 6 | slf4j | Will not fix |