[Bugs] [Bug 13347] New: [CVE 21] xstream 1.4.11.1 CVEs found
bugzilla
bugzilla на rosalinux.ru
Ср Май 3 17:22:10 MSK 2023
https://bugzilla.rosalinux.ru/show_bug.cgi?id=13347
Platform: 2021.1
Bug ID: 13347
Summary: [CVE 21] xstream 1.4.11.1 CVEs found
Classification: ROSA-based products
Product: ROSA Fresh
Version: All
Hardware: All
URL: CVE-2020-26217, CVE-2020-26258, CVE-2020-26259,
CVE-2021-21341, CVE-2021-21342, CVE-2021-21343,
CVE-2021-21344, CVE-2021-21345, CVE-2021-21346,
CVE-2021-21347, CVE-2021-21348, CVE-2021-21349,
CVE-2021-21350, CVE-2021-21351, CVE-2021-29505,
CVE-2021-39139, CVE-2021-39140, CVE-2021-39141,
CVE-2021-39144, CVE-2021-39145, CVE-2021-39146,
CVE-2021-39147, CVE-2021-39148, CVE-2021-39149,
CVE-2021-39150, CVE-2021-39151, CVE-2021-39152,
CVE-2021-39153, CVE-2021-39154, CVE-2021-43859,
CVE-2022-41966,
OS: Linux
Status: CONFIRMED
Severity: normal
Priority: Normal
Component: System (kernel, glibc, systemd, bash, PAM...)
Assignee: bugs на lists.rosalinux.ru
Reporter: y.tumanov на rosalinux.ru
QA Contact: bugs на lists.rosalinux.ru
CC: s.matveev на rosalinux.ru, y.tumanov на rosalinux.ru
Target Milestone: ---
Flags: secteam_verified?
Please patch CVEs for package xstream version 1.4.11.1
INFO (CVEs are): xstream 1.4.11.1
cves found
CVE-2020-26217
Desc: XStream before version 1.4.14 is vulnerable to Remote Code Execution.The
vulnerability may allow a remote attacker to run arbitrary shell commands only
by manipulating the processed input stream. Only users who rely on blocklists
are affected. Anyone using XStream's Security Framework allowlist is not
affected. The linked advisory provides code workarounds for users who cannot
upgrade. The issue is fixed in version 1.4.14.
Link: https://nvd.nist.gov/vuln/detail/CVE-2020-26217
Severity: HIGH
CVE-2020-26258
Desc: XStream is a Java library to serialize objects to XML and back again. In
XStream before version 1.4.15, a Server-Side Forgery Request vulnerability can
be activated when unmarshalling. The vulnerability may allow a remote attacker
to request data from internal resources that are not publicly available only by
manipulating the processed input stream. If you rely on XStream's default
blacklist of the Security Framework, you will have to use at least version
1.4.15. The reported vulnerability does not exist if running Java 15 or higher.
No user is affected who followed the recommendation to setup XStream's Security
Framework with a whitelist! Anyone relying on XStream's default blacklist can
immediately switch to a whilelist for the allowed types to avoid the
vulnerability. Users of XStream 1.4.14 or below who still want to use XStream
default blacklist can use a workaround described in more detailed in the
referenced advisories.
Link: https://nvd.nist.gov/vuln/detail/CVE-2020-26258
Severity: HIGH
CVE-2020-26259
Desc: XStream is a Java library to serialize objects to XML and back again. In
XStream before version 1.4.15, is vulnerable to an Arbitrary File Deletion on
the local host when unmarshalling. The vulnerability may allow a remote
attacker to delete arbitrary know files on the host as log as the executing
process has sufficient rights only by manipulating the processed input stream.
If you rely on XStream's default blacklist of the Security Framework, you will
have to use at least version 1.4.15. The reported vulnerability does not exist
running Java 15 or higher. No user is affected, who followed the recommendation
to setup XStream's Security Framework with a whitelist! Anyone relying on
XStream's default blacklist can immediately switch to a whilelist for the
allowed types to avoid the vulnerability. Users of XStream 1.4.14 or below who
still want to use XStream default blacklist can use a workaround described in
more detailed in the referenced advisories.
Link: https://nvd.nist.gov/vuln/detail/CVE-2020-26259
Severity: MEDIUM
CVE-2021-21341
Desc: XStream is a Java library to serialize objects to XML and back again. In
XStream before version 1.4.16, there is vulnerability which may allow a remote
attacker to allocate 100% CPU time on the target system depending on CPU type
or parallel execution of such a payload resulting in a denial of service only
by manipulating the processed input stream. No user is affected who followed
the recommendation to setup XStream's security framework with a whitelist
limited to the minimal required types. If you rely on XStream's default
blacklist of the Security Framework, you will have to use at least version
1.4.16.
Link: https://nvd.nist.gov/vuln/detail/CVE-2021-21341
Severity: HIGH
CVE-2021-21342
Desc: XStream is a Java library to serialize objects to XML and back again. In
XStream before version 1.4.16, there is a vulnerability where the processed
stream at unmarshalling time contains type information to recreate the formerly
written objects. XStream creates therefore new instances based on these type
information. An attacker can manipulate the processed input stream and replace
or inject objects, that result in a server-side forgery request. No user is
affected, who followed the recommendation to setup XStream's security framework
with a whitelist limited to the minimal required types. If you rely on
XStream's default blacklist of the Security Framework, you will have to use at
least version 1.4.16.
Link: https://nvd.nist.gov/vuln/detail/CVE-2021-21342
Severity: CRITICAL
CVE-2021-21343
Desc: XStream is a Java library to serialize objects to XML and back again. In
XStream before version 1.4.16, there is a vulnerability where the processed
stream at unmarshalling time contains type information to recreate the formerly
written objects. XStream creates therefore new instances based on these type
information. An attacker can manipulate the processed input stream and replace
or inject objects, that result in the deletion of a file on the local host. No
user is affected, who followed the recommendation to setup XStream's security
framework with a whitelist limited to the minimal required types. If you rely
on XStream's default blacklist of the Security Framework, you will have to use
at least version 1.4.16.
Link: https://nvd.nist.gov/vuln/detail/CVE-2021-21343
Severity: HIGH
CVE-2021-21344
Desc: XStream is a Java library to serialize objects to XML and back again. In
XStream before version 1.4.16, there is a vulnerability which may allow a
remote attacker to load and execute arbitrary code from a remote host only by
manipulating the processed input stream. No user is affected, who followed the
recommendation to setup XStream's security framework with a whitelist limited
to the minimal required types. If you rely on XStream's default blacklist of
the Security Framework, you will have to use at least version 1.4.16.
Link: https://nvd.nist.gov/vuln/detail/CVE-2021-21344
Severity: CRITICAL
CVE-2021-21345
Desc: XStream is a Java library to serialize objects to XML and back again. In
XStream before version 1.4.16, there is a vulnerability which may allow a
remote attacker who has sufficient rights to execute commands of the host only
by manipulating the processed input stream. No user is affected, who followed
the recommendation to setup XStream's security framework with a whitelist
limited to the minimal required types. If you rely on XStream's default
blacklist of the Security Framework, you will have to use at least version
1.4.16.
Link: https://nvd.nist.gov/vuln/detail/CVE-2021-21345
Severity: CRITICAL
CVE-2021-21346
Desc: XStream is a Java library to serialize objects to XML and back again. In
XStream before version 1.4.16, there is a vulnerability which may allow a
remote attacker to load and execute arbitrary code from a remote host only by
manipulating the processed input stream. No user is affected, who followed the
recommendation to setup XStream's security framework with a whitelist limited
to the minimal required types. If you rely on XStream's default blacklist of
the Security Framework, you will have to use at least version 1.4.16.
Link: https://nvd.nist.gov/vuln/detail/CVE-2021-21346
Severity: CRITICAL
CVE-2021-21347
Desc: XStream is a Java library to serialize objects to XML and back again. In
XStream before version 1.4.16, there is a vulnerability which may allow a
remote attacker to load and execute arbitrary code from a remote host only by
manipulating the processed input stream. No user is affected, who followed the
recommendation to setup XStream's security framework with a whitelist limited
to the minimal required types. If you rely on XStream's default blacklist of
the Security Framework, you will have to use at least version 1.4.16.
Link: https://nvd.nist.gov/vuln/detail/CVE-2021-21347
Severity: CRITICAL
CVE-2021-21348
Desc: XStream is a Java library to serialize objects to XML and back again. In
XStream before version 1.4.16, there is a vulnerability which may allow a
remote attacker to occupy a thread that consumes maximum CPU time and will
never return. No user is affected, who followed the recommendation to setup
XStream's security framework with a whitelist limited to the minimal required
types. If you rely on XStream's default blacklist of the Security Framework,
you will have to use at least version 1.4.16.
Link: https://nvd.nist.gov/vuln/detail/CVE-2021-21348
Severity: HIGH
CVE-2021-21349
Desc: XStream is a Java library to serialize objects to XML and back again. In
XStream before version 1.4.16, there is a vulnerability which may allow a
remote attacker to request data from internal resources that are not publicly
available only by manipulating the processed input stream. No user is affected,
who followed the recommendation to setup XStream's security framework with a
whitelist limited to the minimal required types. If you rely on XStream's
default blacklist of the Security Framework, you will have to use at least
version 1.4.16.
Link: https://nvd.nist.gov/vuln/detail/CVE-2021-21349
Severity: HIGH
CVE-2021-21350
Desc: XStream is a Java library to serialize objects to XML and back again. In
XStream before version 1.4.16, there is a vulnerability which may allow a
remote attacker to execute arbitrary code only by manipulating the processed
input stream. No user is affected, who followed the recommendation to setup
XStream's security framework with a whitelist limited to the minimal required
types. If you rely on XStream's default blacklist of the Security Framework,
you will have to use at least version 1.4.16.
Link: https://nvd.nist.gov/vuln/detail/CVE-2021-21350
Severity: CRITICAL
CVE-2021-21351
Desc: XStream is a Java library to serialize objects to XML and back again. In
XStream before version 1.4.16, there is a vulnerability may allow a remote
attacker to load and execute arbitrary code from a remote host only by
manipulating the processed input stream. No user is affected, who followed the
recommendation to setup XStream's security framework with a whitelist limited
to the minimal required types. If you rely on XStream's default blacklist of
the Security Framework, you will have to use at least version 1.4.16.
Link: https://nvd.nist.gov/vuln/detail/CVE-2021-21351
Severity: CRITICAL
CVE-2021-29505
Desc: XStream is software for serializing Java objects to XML and back again. A
vulnerability in XStream versions prior to 1.4.17 may allow a remote attacker
has sufficient rights to execute commands of the host only by manipulating the
processed input stream. No user who followed the recommendation to setup
XStream's security framework with a whitelist limited to the minimal required
types is affected. The vulnerability is patched in version 1.4.17.
Link: https://nvd.nist.gov/vuln/detail/CVE-2021-29505
Severity: HIGH
CVE-2021-39139
Desc: XStream is a simple library to serialize objects to XML and back again.
In affected versions this vulnerability may allow a remote attacker to load and
execute arbitrary code from a remote host only by manipulating the processed
input stream. A user is only affected if using the version out of the box with
JDK 1.7u21 or below. However, this scenario can be adjusted easily to an
external Xalan that works regardless of the version of the Java runtime. No
user is affected, who followed the recommendation to setup XStream's security
framework with a whitelist limited to the minimal required types. XStream
1.4.18 uses no longer a blacklist by default, since it cannot be secured for
general purpose.
Link: https://nvd.nist.gov/vuln/detail/CVE-2021-39139
Severity: HIGH
CVE-2021-39140
Desc: XStream is a simple library to serialize objects to XML and back again.
In affected versions this vulnerability may allow a remote attacker to allocate
100% CPU time on the target system depending on CPU type or parallel execution
of such a payload resulting in a denial of service only by manipulating the
processed input stream. No user is affected, who followed the recommendation to
setup XStream's security framework with a whitelist limited to the minimal
required types. XStream 1.4.18 uses no longer a blacklist by default, since it
cannot be secured for general purpose.
Link: https://nvd.nist.gov/vuln/detail/CVE-2021-39140
Severity: MEDIUM
CVE-2021-39141
Desc: XStream is a simple library to serialize objects to XML and back again.
In affected versions this vulnerability may allow a remote attacker to load and
execute arbitrary code from a remote host only by manipulating the processed
input stream. No user is affected, who followed the recommendation to setup
XStream's security framework with a whitelist limited to the minimal required
types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be
secured for general purpose.
Link: https://nvd.nist.gov/vuln/detail/CVE-2021-39141
Severity: HIGH
CVE-2021-39144
Desc: XStream is a simple library to serialize objects to XML and back again.
In affected versions this vulnerability may allow a remote attacker has
sufficient rights to execute commands of the host only by manipulating the
processed input stream. No user is affected, who followed the recommendation to
setup XStream's security framework with a whitelist limited to the minimal
required types. XStream 1.4.18 uses no longer a blacklist by default, since it
cannot be secured for general purpose.
Link: https://nvd.nist.gov/vuln/detail/CVE-2021-39144
Severity: HIGH
CVE-2021-39145
Desc: XStream is a simple library to serialize objects to XML and back again.
In affected versions this vulnerability may allow a remote attacker to load and
execute arbitrary code from a remote host only by manipulating the processed
input stream. No user is affected, who followed the recommendation to setup
XStream's security framework with a whitelist limited to the minimal required
types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be
secured for general purpose.
Link: https://nvd.nist.gov/vuln/detail/CVE-2021-39145
Severity: HIGH
CVE-2021-39146
Desc: XStream is a simple library to serialize objects to XML and back again.
In affected versions this vulnerability may allow a remote attacker to load and
execute arbitrary code from a remote host only by manipulating the processed
input stream. No user is affected, who followed the recommendation to setup
XStream's security framework with a whitelist limited to the minimal required
types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be
secured for general purpose.
Link: https://nvd.nist.gov/vuln/detail/CVE-2021-39146
Severity: HIGH
CVE-2021-39147
Desc: XStream is a simple library to serialize objects to XML and back again.
In affected versions this vulnerability may allow a remote attacker to load and
execute arbitrary code from a remote host only by manipulating the processed
input stream. No user is affected, who followed the recommendation to setup
XStream's security framework with a whitelist limited to the minimal required
types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be
secured for general purpose.
Link: https://nvd.nist.gov/vuln/detail/CVE-2021-39147
Severity: HIGH
CVE-2021-39148
Desc: XStream is a simple library to serialize objects to XML and back again.
In affected versions this vulnerability may allow a remote attacker to load and
execute arbitrary code from a remote host only by manipulating the processed
input stream. No user is affected, who followed the recommendation to setup
XStream's security framework with a whitelist limited to the minimal required
types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be
secured for general purpose.
Link: https://nvd.nist.gov/vuln/detail/CVE-2021-39148
Severity: HIGH
CVE-2021-39149
Desc: XStream is a simple library to serialize objects to XML and back again.
In affected versions this vulnerability may allow a remote attacker to load and
execute arbitrary code from a remote host only by manipulating the processed
input stream. No user is affected, who followed the recommendation to setup
XStream's security framework with a whitelist limited to the minimal required
types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be
secured for general purpose.
Link: https://nvd.nist.gov/vuln/detail/CVE-2021-39149
Severity: HIGH
CVE-2021-39150
Desc: XStream is a simple library to serialize objects to XML and back again.
In affected versions this vulnerability may allow a remote attacker to request
data from internal resources that are not publicly available only by
manipulating the processed input stream with a Java runtime version 14 to 8. No
user is affected, who followed the recommendation to setup XStream's security
framework with a whitelist limited to the minimal required types. If you rely
on XStream's default blacklist of the [Security
Framework](https://x-stream.github.io/security.html#framework), you will have
to use at least version 1.4.18.
Link: https://nvd.nist.gov/vuln/detail/CVE-2021-39150
Severity: HIGH
CVE-2021-39151
Desc: XStream is a simple library to serialize objects to XML and back again.
In affected versions this vulnerability may allow a remote attacker to load and
execute arbitrary code from a remote host only by manipulating the processed
input stream. No user is affected, who followed the recommendation to setup
XStream's security framework with a whitelist limited to the minimal required
types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be
secured for general purpose.
Link: https://nvd.nist.gov/vuln/detail/CVE-2021-39151
Severity: HIGH
CVE-2021-39152
Desc: XStream is a simple library to serialize objects to XML and back again.
In affected versions this vulnerability may allow a remote attacker to request
data from internal resources that are not publicly available only by
manipulating the processed input stream with a Java runtime version 14 to 8. No
user is affected, who followed the recommendation to setup XStream's security
framework with a whitelist limited to the minimal required types. If you rely
on XStream's default blacklist of the [Security
Framework](https://x-stream.github.io/security.html#framework), you will have
to use at least version 1.4.18.
Link: https://nvd.nist.gov/vuln/detail/CVE-2021-39152
Severity: HIGH
CVE-2021-39153
Desc: XStream is a simple library to serialize objects to XML and back again.
In affected versions this vulnerability may allow a remote attacker to load and
execute arbitrary code from a remote host only by manipulating the processed
input stream, if using the version out of the box with Java runtime version 14
to 8 or with JavaFX installed. No user is affected, who followed the
recommendation to setup XStream's security framework with a whitelist limited
to the minimal required types. XStream 1.4.18 uses no longer a blacklist by
default, since it cannot be secured for general purpose.
Link: https://nvd.nist.gov/vuln/detail/CVE-2021-39153
Severity: HIGH
CVE-2021-39154
Desc: XStream is a simple library to serialize objects to XML and back again.
In affected versions this vulnerability may allow a remote attacker to load and
execute arbitrary code from a remote host only by manipulating the processed
input stream. No user is affected, who followed the recommendation to setup
XStream's security framework with a whitelist limited to the minimal required
types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be
secured for general purpose.
Link: https://nvd.nist.gov/vuln/detail/CVE-2021-39154
Severity: HIGH
CVE-2021-43859
Desc: XStream is an open source java library to serialize objects to XML and
back again. Versions prior to 1.4.19 may allow a remote attacker to allocate
100% CPU time on the target system depending on CPU type or parallel execution
of such a payload resulting in a denial of service only by manipulating the
processed input stream. XStream 1.4.19 monitors and accumulates the time it
takes to add elements to collections and throws an exception if a set threshold
is exceeded. Users are advised to upgrade as soon as possible. Users unable to
upgrade may set the NO_REFERENCE mode to prevent recursion. See
GHSA-rmr5-cpv2-vgjf for further details on a workaround if an upgrade is not
possible.
Link: https://nvd.nist.gov/vuln/detail/CVE-2021-43859
Severity: HIGH
CVE-2022-41966
Desc: XStream serializes Java objects to XML and back again. Versions prior to
1.4.20 may allow a remote attacker to terminate the application with a stack
overflow error, resulting in a denial of service only via manipulation the
processed input stream. The attack uses the hash code implementation for
collections and maps to force recursive hash calculation causing a stack
overflow. This issue is patched in version 1.4.20 which handles the stack
overflow and raises an InputManipulationException instead. A potential
workaround for users who only use HashMap or HashSet and whose XML refers these
only as default map or set, is to change the default implementation of
java.util.Map and java.util per the code example in the referenced advisory.
However, this implies that your application does not care about the
implementation of the map and all elements are comparable.
Link: https://nvd.nist.gov/vuln/detail/CVE-2022-41966
Severity: HIGH
--
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.
----------- следущая часть -----------
Вложение в формате HTML было извлечено…
URL: <http://lists.rosalinux.ru/pipermail/bugs/attachments/20230503/1c812f3f/attachment-0001.html>
Подробная информация о списке рассылки Bugs