VMware Cloud Community
prateek_sahoo1
Contributor
Contributor

vcops-suiteapi-client jar contains vulnerable slf4j

We are using vcops-suiteapi-client-1.21-all.jar which contains slf4j-1.7.25 which is vulnerable. Is there any way to remove this vulnerable jar? Is there any alternate jar which would do all the operations that can be done by vcops-suiteapi-client-1.21-all.jar?

Labels (3)
Reply
0 Kudos
3 Replies
RobertMesropyan
VMware Employee
VMware Employee

HI @prateek_sahoo1 
If you mean CVE-2018-8088 vulnerability - the investigation shows that it's actually is false positive

Reply
0 Kudos
prateek_sahoo1
Contributor
Contributor

@RobertMesropyan , Is there any official document?

Reply
0 Kudos
RobertMesropyan
VMware Employee
VMware Employee

hi @prateek_sahoo1 

the correspond owner replied me that:

"

VE-2018-8088 description: org.slf4j.ext.EventData in the slf4j-ext module in QOS.CH SLF4J before 1.8.0-beta2 allows remote
attackers to bypass intended access restrictions via crafted data.

False-positive, we do not use slf4j-ext, the reported path belongs to slf4j-api.
"
hope this clarification helps
Reply
0 Kudos