- Issued:
- 2018-04-03
- Updated:
- 2018-04-03
RHSA-2018:0629 - Security Advisory
Synopsis
Important: Red Hat JBoss Enterprise Application Platform 7.1 security update
Type/Severity
Security Advisory: Important
Topic
An update is now available for Red Hat JBoss Enterprise Application Platform 7.1 for Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
Red Hat JBoss Enterprise Application Platform is a platform for Java applications based on WildFly.
This asynchronous patch is a security update for slf4j package in Red Hat JBoss Enterprise Application Platform 7.1.
Security Fix(es):
- An XML deserialization vulnerability was discovered in slf4j's EventData which accepts xml serialized string and can lead to arbitrary code execution. (CVE-2018-8088)
The Simple Logging Facade for Java or (SLF4J) is a simple facade for various logging APIs allowing the end-user to plug in the desired implementation at deployment time. SLF4J also allows for a gradual migration path away from Jakarta Commons Logging (JCL).
Red Hat would like to thank Chris McCown for reporting CVE-2018-8088.
Solution
Before applying this update, back up your existing Red Hat JBoss Enterprise
Application Platform installation and deployed applications.
The References section of this erratum contains a download link (you must log in to download the update).
The JBoss server process must be restarted for the update to take effect.
Affected Products
- JBoss Enterprise Application Platform Text-Only Advisories x86_64
Fixes
- BZ - 1548909 - CVE-2018-8088 slf4j: Deserialisation vulnerability in EventData constructor can allow for arbitrary code execution
CVEs
References
- https://access.redhat.com/security/updates/classification/#important
- https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/
- https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=appplatform&downloadType=securityPatches&version=7.1
The Red Hat security contact is [email protected]. More contact details at https://access.redhat.com/security/team/contact/.
