Bug 63175 - Please update dependency of slf4j (CVE-2018-8088)
Summary: Please update dependency of slf4j (CVE-2018-8088)
Status: RESOLVED DUPLICATE of bug 63090
Alias: None
Product: JMeter
Classification: Unclassified
Component: Main (show other bugs)
Version: 5.0
Hardware: PC Linux
: P2 normal (vote)
Target Milestone: JMETER_5.1
Assignee: JMeter issues mailing list
URL:
Keywords: FixedInTrunk
Depends on:
Blocks:
 
Reported: 2019-02-14 11:41 UTC by S. Seide
Modified: 2019-02-14 19:55 UTC (History)
1 user (show)



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description S. Seide 2019-02-14 11:41:28 UTC
Due to some security problems in currently used slf4j 1.7.25 an update to current 1.8.0 should be considered. Even if its flagged as beta3 right now.

Problem CVE-2018-8088 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8088

I have not checked if it is possible for users (test plan creators) to exploit this bug via JSR223 Sampler/Processors etc. with custom log messages or if these data may be feed into JMeter via different ways but at least this risk should be evaluated and mitigated by updating slf4j.

Thanks,
Stefan Seide
Comment 1 Felix Schumacher 2019-02-14 17:57:17 UTC
The CVE is about slf4j-ext, which is dropped already from our dependencies in trunk and will be removed with JMeter version 5.1 which is currently voted on.

*** This bug has been marked as a duplicate of bug 63090 ***