Lucene search

K
amazonAmazonALAS2-2018-999
HistoryApr 19, 2018 - 5:11 a.m.

Important: slf4j

2018-04-1905:11:00
alas.aws.amazon.com
13

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.8 High

AI Score

Confidence

High

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

Issue Overview:

Deserialisation vulnerability in EventData constructor can allow for arbitrary code execution:
An XML deserialization vulnerability was discovered in slf4j’s EventData which accepts anXML serialized string and can lead to arbitrary code execution. (CVE-2018-8088)

Affected Packages:

slf4j

Note:

This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.

Issue Correction:
Run yum update slf4j to update your system.

New Packages:

noarch:  
    slf4j-1.7.4-4.amzn2.noarch  
    slf4j-javadoc-1.7.4-4.amzn2.noarch  
    slf4j-manual-1.7.4-4.amzn2.noarch  
  
src:  
    slf4j-1.7.4-4.amzn2.src  

Additional References

Red Hat: CVE-2018-8088

Mitre: CVE-2018-8088

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.8 High

AI Score

Confidence

High

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

Related for ALAS2-2018-999