RHSA-2018:0592: Important: slf4j security update
The Simple Logging Facade for Java or (SLF4J) is a simple facade for various logging APIs allowing the end-user to plug in the desired implementation at deployment time. SLF4J also allows for a gradual migration path away from Jakarta Commons Logging (JCL).<br>Security Fix(es):<br><li> slf4j: Deserialisation vulnerability in EventData constructor can allow for arbitrary code execution (CVE-2018-8088)</li> For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.<br>Red Hat would like to thank Chris McCown for reporting this issue.
Affected Software
Remediation
Event History
Frequently Asked Questions
What is the severity of RHSA-2018:0592?
The severity of RHSA-2018:0592 is classified as important.
How do I fix RHSA-2018:0592?
To fix RHSA-2018:0592, you should update to the version 1.7.4-4.el7_4 of the affected SLF4J packages.
Which versions of SLF4J are affected by RHSA-2018:0592?
RHSA-2018:0592 affects versions of SLF4J up to, but not including, 1.7.4-4.el7_4.
What packages are impacted by RHSA-2018:0592?
The impacted packages include slf4j, slf4j-javadoc, and slf4j-manual.
Is there a migration path recommended for RHSA-2018:0592?
Yes, RHSA-2018:0592 provides a gradual migration path away from Jakarta Commons Logging.