Candidate: CVE-2018-8088
PublicDate: 2018-03-20 16:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8088
 https://github.com/qos-ch/slf4j/commit/d2b27fba88e983f921558da27fc29b5f5d269405
 https://jira.qos.ch/browse/SLF4J-430
 https://jira.qos.ch/browse/SLF4J-431
Description:
 org.slf4j.ext.EventData in the slf4j-ext module in QOS.CH SLF4J before
 1.8.0-beta2 allows remote attackers to bypass intended access restrictions
 via crafted data. EventData in the slf4j-ext module in QOS.CH SLF4J, has
 been fixed in SLF4J versions 1.7.26 later and in the 2.0.x series.
Ubuntu-Description:
Notes:
 leosilva> fix provided by upstream seems not to fix, instead use fix provide by Fedora.
 leosilva> class was removed in bionic
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H [9.8 CRITICAL]
 nvd: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H [9.8 CRITICAL]


Patches_libslf4j-java:
 other: https://src.fedoraproject.org/cgit/rpms/slf4j.git/diff/0001-Disallow-EventData-deserialization-by-default.patch?id=d7cd96bc7a8e8d8d62c8bc62baa7df02cef56c63
upstream_libslf4j-java: needs-triage
precise/esm_libslf4j-java: DNE
trusty_libslf4j-java: not-affected (slf4j-ext not built in package)
trusty/esm_libslf4j-java: not-affected (slf4j-ext not built in package)
xenial_libslf4j-java: not-affected (slf4j-ext not built in package)
artful_libslf4j-java: ignored (reached end-of-life)
bionic_libslf4j-java: not-affected (1.7.25-3)
cosmic_libslf4j-java: not-affected (1.7.25-3)
devel_libslf4j-java: not-affected (1.7.25-3)