Remedy for CVE-2018-8088 in elastic-apm-agent-1.21.0.jar?

A scan is turning up a CVE for this:

CRITICAL Vulnerability found in non-os package type (java) - /elastic-apm-agent-1.21.0.jar:slf4j-api (CVE-2018-8088 - https://nvd.nist.gov/vuln/detail/CVE-2018-8088)

This showed up in an earlier version, too (1.17.0). 1.21.0 is the latest and still has this?

Hi and thanks a lot for the report.

For security reports, please don't report them in the forum but stick to the process laid out in Free and Open Search: The Creators of Elasticsearch, ELK & Kibana | Elastic.

For this particular case it seems like a false positive.
The CVE is about the slf4j-ext module which the agent does not use. We only use slf4j-api which does not contain the vulnerable org.slf4j.ext.EventData class.

Nevertheless, I'll update the slf4j version and make sure we'll stay up to date with new versions: Update slf4j and add to dependabot allow list by felixbarny · Pull Request #1669 · elastic/apm-agent-java · GitHub

1 Like

Oh, thank you. I did not realize there was a separate process for this. In any case, this was Anchore finding this, if that helps at all. Forgot to mention that in original question.

Cheers.