Bug 63175

Summary: Please update dependency of slf4j (CVE-2018-8088)
Product: JMeter - Now in Github Reporter: S. Seide <stefan>
Component: MainAssignee: JMeter issues mailing list <issues>
Status: RESOLVED DUPLICATE    
Severity: normal CC: p.mouawad
Priority: P2 Keywords: FixedInTrunk
Version: 5.0   
Target Milestone: JMETER_5.1   
Hardware: PC   
OS: Linux   

Description S. Seide 2019-02-14 11:41:28 UTC 
Due to some security problems in currently used slf4j 1.7.25 an update to current 1.8.0 should be considered. Even if its flagged as beta3 right now.

Problem CVE-2018-8088 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8088

I have not checked if it is possible for users (test plan creators) to exploit this bug via JSR223 Sampler/Processors etc. with custom log messages or if these data may be feed into JMeter via different ways but at least this risk should be evaluated and mitigated by updating slf4j.

Thanks,
Stefan Seide
Comment 1 Felix Schumacher 2019-02-14 17:57:17 UTC 
The CVE is about slf4j-ext, which is dropped already from our dependencies in trunk and will be removed with JMeter version 5.1 which is currently voted on.

*** This bug has been marked as a duplicate of bug 63090 ***
Comment 2 The ASF infrastructure team 2022-09-24 20:38:16 UTC 
This issue has been migrated to GitHub: https://github.com/apache/jmeter/issues/5011