You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The reason will be displayed to describe this comment to others. Learn more.
What exactly is the issue here? Unfortunately there seem to be no details available on this, and marking a class "deprecated" is not necessarily a real fix.
The reason will be displayed to describe this comment to others. Learn more.
@areguru yep exactly that, you've got it: CVE is "badly" declared so, although only slf4j-ext is sensitive, cpe declaration is too large so slf4j-* are detected by sca tools like dependency-check.
Although I have no dependencies on slf4j-ext on my projects, for other people that have slf4j-ext in the classpath, I was wandering if "mark as deprecated" was enough and if they is no other way to exploit the threat than using the constructor directly (using deserialization for example) but finally I'm not sure it's possible.
Thanks a lot @areguru and @ceki for feedback.
The reason will be displayed to describe this comment to others. Learn more.
According to https://www.slf4j.org/download.html version 1.8.0-beta2 is EXPERIMENTAL. Are there any plans to backport this to the STABLE branch 1.7.x and release a version 1.7.26?
The reason will be displayed to describe this comment to others. Learn more.
@adioss I emailed nvd@nist.gov asking them to fix the CVE but got back this nice auto-reply: Due to a lapse in appropriations, I will be out of the office and unable to reply to e-mail until further notice. :)
The reason will be displayed to describe this comment to others. Learn more.
Looking again, it looks like I was supposed to email mitre.org instead of nist.gov. I did now and they seem to be active. I'll let you know once I hear back from them.
The reason will be displayed to describe this comment to others. Learn more.
Hey guys. I've just heard back from nist.gov. They will be updating the CVE for slf4j (and 700 others) within the next 24 hours to fix this kind of error (overly-broad warnings). If you guys run across this kind of error in the future, I recommend reporting it to them. They were extremely responsive and helpful. Have a great day :)
The reason will be displayed to describe this comment to others. Learn more.
@ceki following up on @sepe81's comment above, according to slf4j.org [0], version 1.8.0-beta2 is marked experimental but this version has been available for almost a year [1].
If I can gently ask, what is the plan/timeline for releasing a non-beta version of 1.8.0?
d2b27fbThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What exactly is the issue here? Unfortunately there seem to be no details available on this, and marking a class "deprecated" is not necessarily a real fix.
d2b27fbThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@kbabioch Are you using the EventData class?
d2b27fbThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@ceki I'm evaluating this issue, and realized that basically no details are available yet :-/.
d2b27fbThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
SLF4J-431 is a subtask of SLF4J-430. EventData is slated to be removed due to a security vulnerability.
d2b27fbThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Regarding http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8088, as far as I understand, solution is to update to version to 1.8.0-beta2.
However, on https://jira.qos.ch/browse/SLF4J-430, you can see that fix version is 1.8.0-beta3.
So, what could we advice in order to fix the threat?
d2b27fbThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As far as I know, org.slf4j.ext.EventData is not widely used.
d2b27fbThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@adioss
I suppose you use the OWASP dependency-checker or similar and got a warning about CVE-2018-8088.
(In that case same as us)
My understanding after analyzing this is that only the slf4j-ext module has the vulnerability, and only the EventData-class is affected. Most users of SLF4J doesn't use this.
https://nvd.nist.gov/vuln/detail/CVE-2018-8088
https://mvnrepository.com/artifact/org.slf4j/slf4j-ext
groupId: org.slf4j
artifactId: slf4j-ext
version: 1.7.25
SLF4J extensions are packaged within slf4j-ext.jar
https://www.slf4j.org/extensions.html
If you use maven
mvn dependency:tree
will generate the dependencies tree of your maven project.
For us the flagging of slf4j-api as vulnerable was a false positive.
https://mvnrepository.com/artifact/org.slf4j/slf4j-api
groupId: org.slf4j
artifactId: slf4j-api
version: 1.7.25
You have to check if your application actually use slf4j-ext (and org.slf4j.ext.EventData)
d2b27fbThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@areguru yep exactly that, you've got it: CVE is "badly" declared so, although only slf4j-ext is sensitive, cpe declaration is too large so slf4j-* are detected by sca tools like dependency-check.
Although I have no dependencies on slf4j-ext on my projects, for other people that have slf4j-ext in the classpath, I was wandering if "mark as deprecated" was enough and if they is no other way to exploit the threat than using the constructor directly (using deserialization for example) but finally I'm not sure it's possible.
Thanks a lot @areguru and @ceki for feedback.
d2b27fbThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
According to https://www.slf4j.org/download.html version 1.8.0-beta2 is EXPERIMENTAL. Are there any plans to backport this to the STABLE branch 1.7.x and release a version 1.7.26?
d2b27fbThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@adioss I emailed nvd@nist.gov asking them to fix the CVE but got back this nice auto-reply:
Due to a lapse in appropriations, I will be out of the office and unable to reply to e-mail until further notice.:)d2b27fbThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looking again, it looks like I was supposed to email mitre.org instead of nist.gov. I did now and they seem to be active. I'll let you know once I hear back from them.
d2b27fbThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hey guys. I've just heard back from nist.gov. They will be updating the CVE for slf4j (and 700 others) within the next 24 hours to fix this kind of error (overly-broad warnings). If you guys run across this kind of error in the future, I recommend reporting it to them. They were extremely responsive and helpful. Have a great day :)
d2b27fbThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@ceki following up on @sepe81's comment above, according to slf4j.org [0], version
1.8.0-beta2is marked experimental but this version has been available for almost a year [1].If I can gently ask, what is the plan/timeline for releasing a non-beta version of
1.8.0?[0] https://www.slf4j.org/download.html
[1] https://github.com/qos-ch/slf4j/releases/tag/v_1.8.0_beta2
d2b27fbThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am hoping https://jira.qos.ch/browse/SLF4J-428 gets fixed before 1.8.0 is released because it will affect the Java module name.
d2b27fbThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Dear @kbabioch, @adioss, @areguru, @sepe81, @cowwoc, @markkolich,
In first, I wish you a Happy New Year 2022!
Today, there was a progress by @ceki, and a correction about my old requests:
It has been solved in 1.7.26 and 1.8.0-beta4.
I have requested the update of:
And about CVE-2018-8088:
Linked to: