Описание
org.slf4j.ext.EventData in the slf4j-ext module in QOS.CH SLF4J before 1.8.0-beta2 allows remote attackers to bypass intended access restrictions via crafted data. EventData in the slf4j-ext module in QOS.CH SLF4J, has been fixed in SLF4J versions 1.7.26 later and in the 2.0.x series.
An XML deserialization vulnerability was discovered in slf4j's EventData, which accepts an XML serialized string and can lead to arbitrary code execution.
Отчет
Subscription Asset Manager is now in a reduced support phase receiving only Critical impact security fixes. This issue has been rated as having a security impact of Important, and is not currently planned to be addressed in future updates.
This issue did not affect the versions of Candlepin as shipped with Red Hat Satellite 6 as Candlepin uses slf4j-api and not the affected slf4j-ext (which is not on the Candlepin classpath).
Red Hat Enterprise Virtualization Manager 4.1 is affected by this issue. Updated packages that address this issue are available through the Red Hat Enterprise Linux Server channels. Virtualization Manager hosts should be subscribed to these channels and obtain the updates via yum update.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| JBoss Developer Studio 11 | slf4j | Will not fix | ||
| Red Hat Enterprise Linux 6 | slf4j | Will not fix | ||
| Red Hat Enterprise Linux 8 | slf4j | Not affected | ||
| Red Hat Fuse 7 | slf4j | Affected | ||
| Red Hat Fuse 7 | teiid | Affected | ||
| Red Hat JBoss A-MQ 6 | slf4j | Under investigation | ||
| Red Hat JBoss BRMS 5 | slf4j | Not affected | ||
| Red Hat JBoss Data Grid 6 | slf4j | Not affected | ||
| Red Hat JBoss Data Grid 7 | slf4j | Affected | ||
| Red Hat JBoss Enterprise Application Platform 5 | slf4j | Out of support scope |
Показывать по
Дополнительная информация
Статус:
EPSS
8.1 High
CVSS3
Связанные уязвимости
org.slf4j.ext.EventData in the slf4j-ext module in QOS.CH SLF4J before 1.8.0-beta2 allows remote attackers to bypass intended access restrictions via crafted data. EventData in the slf4j-ext module in QOS.CH SLF4J, has been fixed in SLF4J versions 1.7.26 later and in the 2.0.x series.
org.slf4j.ext.EventData in the slf4j-ext module in QOS.CH SLF4J before 1.8.0-beta2 allows remote attackers to bypass intended access restrictions via crafted data. EventData in the slf4j-ext module in QOS.CH SLF4J, has been fixed in SLF4J versions 1.7.26 later and in the 2.0.x series.
org.slf4j.ext.EventData in the slf4j-ext module in QOS.CH SLF4J before ...
EPSS
8.1 High
CVSS3