ALAS2-2018-999


Amazon Linux 2 Security Advisory: ALAS-2018-999
Advisory Release Date: 2018-04-19 22:45 Pacific
Severity: Important
References: CVE-2018-8088 

Issue Overview:

Deserialisation vulnerability in EventData constructor can allow for arbitrary code execution:
An XML deserialization vulnerability was discovered in slf4j's EventData which accepts anXML serialized string and can lead to arbitrary code execution. (CVE-2018-8088 )


Affected Packages:

slf4j


Issue Correction:
Run yum update slf4j to update your system.

New Packages:
noarch:
    slf4j-1.7.4-4.amzn2.noarch
    slf4j-javadoc-1.7.4-4.amzn2.noarch
    slf4j-manual-1.7.4-4.amzn2.noarch

src:
    slf4j-1.7.4-4.amzn2.src