https://bugzilla.redhat.com/show_bug.cgi?id=1997791
Bug ID: 1997791
Summary: CVE-2021-39151 xstream: vulnerable to an arbitrary
code execution attack
Product: Security Response
Hardware: All
OS: Linux
Status: NEW
Component: vulnerability
Keywords: Security
Severity: high
Priority: high
Assignee: security-response-team(a)redhat.com
Reporter: gsuckevi(a)redhat.com
CC: abenaiss(a)redhat.com, aileenc(a)redhat.com,
akoufoud(a)redhat.com, alazarot(a)redhat.com,
almorale(a)redhat.com, anstephe(a)redhat.com,
aos-bugs(a)redhat.com, ataylor(a)redhat.com,
bibryam(a)redhat.com, bmontgom(a)redhat.com,
chazlett(a)redhat.com, drieden(a)redhat.com,
eparis(a)redhat.com, etirelli(a)redhat.com,
extras-orphan(a)fedoraproject.org,
fedoraproject.org(a)bluhm-de.com, ggaughan(a)redhat.com,
gmalinko(a)redhat.com, gvarsami(a)redhat.com,
hbraun(a)redhat.com, ibek(a)redhat.com,
janstey(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jburrell(a)redhat.com, jcoleman(a)redhat.com,
jnethert(a)redhat.com, jochrist(a)redhat.com,
jokerman(a)redhat.com, jolee(a)redhat.com,
jrokos(a)redhat.com, jross(a)redhat.com,
jschatte(a)redhat.com, jstastny(a)redhat.com,
jwon(a)redhat.com, kconner(a)redhat.com,
krathod(a)redhat.com, kverlaen(a)redhat.com,
ldimaggi(a)redhat.com, lkundrak(a)v3.sk,
mizdebsk(a)redhat.com, mnovotny(a)redhat.com,
nstielau(a)redhat.com, nwallace(a)redhat.com,
pantinor(a)redhat.com, pbhattac(a)redhat.com,
pdelbell(a)redhat.com, pjindal(a)redhat.com,
rrajasek(a)redhat.com, rwagner(a)redhat.com,
sponnaga(a)redhat.com, tcunning(a)redhat.com,
tkirby(a)redhat.com, tzimanyi(a)redhat.com
Target Milestone: ---
Classification: Other
XStream is a simple library to serialize objects to XML and back again. In
affected versions this vulnerability may allow a remote attacker to load and
execute arbitrary code from a remote host only by manipulating the processed
input stream. No user is affected, who followed the recommendation to setup
XStream's security framework with a whitelist limited to the minimal required
types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be
secured for general purpose.
References:
https://github.com/x-stream/xstream/security/advisories/GHSA-hph2-m3g5-xxv4https://x-stream.github.io/CVE-2021-39151.html
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1997786
Bug ID: 1997786
Summary: CVE-2021-39150 xstream: SSRF can be activated
unmarshalling with XStream to access data streams from
an arbitrary URL referencing a resource in an intranet
or the local host
Product: Security Response
Hardware: All
OS: Linux
Status: NEW
Component: vulnerability
Keywords: Security
Severity: high
Priority: high
Assignee: security-response-team(a)redhat.com
Reporter: gsuckevi(a)redhat.com
CC: abenaiss(a)redhat.com, aileenc(a)redhat.com,
akoufoud(a)redhat.com, alazarot(a)redhat.com,
almorale(a)redhat.com, anstephe(a)redhat.com,
aos-bugs(a)redhat.com, ataylor(a)redhat.com,
bibryam(a)redhat.com, bmontgom(a)redhat.com,
chazlett(a)redhat.com, drieden(a)redhat.com,
eparis(a)redhat.com, etirelli(a)redhat.com,
extras-orphan(a)fedoraproject.org,
fedoraproject.org(a)bluhm-de.com, ggaughan(a)redhat.com,
gmalinko(a)redhat.com, gvarsami(a)redhat.com,
hbraun(a)redhat.com, ibek(a)redhat.com,
janstey(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jburrell(a)redhat.com, jcoleman(a)redhat.com,
jnethert(a)redhat.com, jochrist(a)redhat.com,
jokerman(a)redhat.com, jolee(a)redhat.com,
jrokos(a)redhat.com, jross(a)redhat.com,
jschatte(a)redhat.com, jstastny(a)redhat.com,
jwon(a)redhat.com, kconner(a)redhat.com,
krathod(a)redhat.com, kverlaen(a)redhat.com,
ldimaggi(a)redhat.com, lkundrak(a)v3.sk,
mizdebsk(a)redhat.com, mnovotny(a)redhat.com,
nstielau(a)redhat.com, nwallace(a)redhat.com,
pantinor(a)redhat.com, pbhattac(a)redhat.com,
pdelbell(a)redhat.com, pjindal(a)redhat.com,
rrajasek(a)redhat.com, rwagner(a)redhat.com,
sponnaga(a)redhat.com, tcunning(a)redhat.com,
tkirby(a)redhat.com, tzimanyi(a)redhat.com
Target Milestone: ---
Classification: Other
XStream is a simple library to serialize objects to XML and back again. In
affected versions this vulnerability may allow a remote attacker to request
data from internal resources that are not publicly available only by
manipulating the processed input stream with a Java runtime version 14 to 8. No
user is affected, who followed the recommendation to setup XStream's security
framework with a whitelist limited to the minimal required types. If you rely
on XStream's default blacklist of the [Security
Framework](https://x-stream.github.io/security.html#framework), you will have
to use at least version 1.4.18.
References:
https://github.com/x-stream/xstream/security/advisories/GHSA-cxfm-5m4g-x7xphttps://x-stream.github.io/CVE-2021-39150.html
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1997784
Bug ID: 1997784
Summary: CVE-2021-39149 xstream: vulnerable to an arbitrary
code execution attack
Product: Security Response
Hardware: All
OS: Linux
Status: NEW
Component: vulnerability
Keywords: Security
Severity: high
Priority: high
Assignee: security-response-team(a)redhat.com
Reporter: gsuckevi(a)redhat.com
CC: abenaiss(a)redhat.com, aileenc(a)redhat.com,
akoufoud(a)redhat.com, alazarot(a)redhat.com,
almorale(a)redhat.com, anstephe(a)redhat.com,
aos-bugs(a)redhat.com, ataylor(a)redhat.com,
bibryam(a)redhat.com, bmontgom(a)redhat.com,
chazlett(a)redhat.com, drieden(a)redhat.com,
eparis(a)redhat.com, etirelli(a)redhat.com,
extras-orphan(a)fedoraproject.org,
fedoraproject.org(a)bluhm-de.com, ggaughan(a)redhat.com,
gmalinko(a)redhat.com, gvarsami(a)redhat.com,
hbraun(a)redhat.com, ibek(a)redhat.com,
janstey(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jburrell(a)redhat.com, jcoleman(a)redhat.com,
jnethert(a)redhat.com, jochrist(a)redhat.com,
jokerman(a)redhat.com, jolee(a)redhat.com,
jrokos(a)redhat.com, jross(a)redhat.com,
jschatte(a)redhat.com, jstastny(a)redhat.com,
jwon(a)redhat.com, kconner(a)redhat.com,
krathod(a)redhat.com, kverlaen(a)redhat.com,
ldimaggi(a)redhat.com, lkundrak(a)v3.sk,
mizdebsk(a)redhat.com, mnovotny(a)redhat.com,
nstielau(a)redhat.com, nwallace(a)redhat.com,
pantinor(a)redhat.com, pbhattac(a)redhat.com,
pdelbell(a)redhat.com, pjindal(a)redhat.com,
rrajasek(a)redhat.com, rwagner(a)redhat.com,
sponnaga(a)redhat.com, tcunning(a)redhat.com,
tkirby(a)redhat.com, tzimanyi(a)redhat.com
Target Milestone: ---
Classification: Other
XStream is a simple library to serialize objects to XML and back again. In
affected versions this vulnerability may allow a remote attacker to load and
execute arbitrary code from a remote host only by manipulating the processed
input stream. No user is affected, who followed the recommendation to setup
XStream's security framework with a whitelist limited to the minimal required
types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be
secured for general purpose.
References:
https://github.com/x-stream/xstream/security/advisories/GHSA-3ccq-5vw3-2p6xhttps://x-stream.github.io/CVE-2021-39149.html
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1997781
Bug ID: 1997781
Summary: CVE-2021-39148 xstream: vulnerable to an arbitrary
code execution attack
Product: Security Response
Hardware: All
OS: Linux
Status: NEW
Component: vulnerability
Keywords: Security
Severity: high
Priority: high
Assignee: security-response-team(a)redhat.com
Reporter: gsuckevi(a)redhat.com
CC: abenaiss(a)redhat.com, aileenc(a)redhat.com,
akoufoud(a)redhat.com, alazarot(a)redhat.com,
almorale(a)redhat.com, anstephe(a)redhat.com,
aos-bugs(a)redhat.com, ataylor(a)redhat.com,
bibryam(a)redhat.com, bmontgom(a)redhat.com,
chazlett(a)redhat.com, drieden(a)redhat.com,
eparis(a)redhat.com, etirelli(a)redhat.com,
extras-orphan(a)fedoraproject.org,
fedoraproject.org(a)bluhm-de.com, ggaughan(a)redhat.com,
gmalinko(a)redhat.com, gvarsami(a)redhat.com,
hbraun(a)redhat.com, ibek(a)redhat.com,
janstey(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jburrell(a)redhat.com, jcoleman(a)redhat.com,
jnethert(a)redhat.com, jochrist(a)redhat.com,
jokerman(a)redhat.com, jolee(a)redhat.com,
jrokos(a)redhat.com, jross(a)redhat.com,
jschatte(a)redhat.com, jstastny(a)redhat.com,
jwon(a)redhat.com, kconner(a)redhat.com,
krathod(a)redhat.com, kverlaen(a)redhat.com,
ldimaggi(a)redhat.com, lkundrak(a)v3.sk,
mizdebsk(a)redhat.com, mnovotny(a)redhat.com,
nstielau(a)redhat.com, nwallace(a)redhat.com,
pantinor(a)redhat.com, pbhattac(a)redhat.com,
pdelbell(a)redhat.com, pjindal(a)redhat.com,
rrajasek(a)redhat.com, rwagner(a)redhat.com,
sponnaga(a)redhat.com, tcunning(a)redhat.com,
tkirby(a)redhat.com, tzimanyi(a)redhat.com
Target Milestone: ---
Classification: Other
XStream is a simple library to serialize objects to XML and back again. In
affected versions this vulnerability may allow a remote attacker to load and
execute arbitrary code from a remote host only by manipulating the processed
input stream. No user is affected, who followed the recommendation to setup
XStream's security framework with a whitelist limited to the minimal required
types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be
secured for general purpose.
References:
https://github.com/x-stream/xstream/security/advisories/GHSA-qrx8-8545-4wg2https://x-stream.github.io/CVE-2021-39148.html
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1997779
Bug ID: 1997779
Summary: CVE-2021-39147 xstream: vulnerable to an arbitrary
code execution attack
Product: Security Response
Hardware: All
OS: Linux
Status: NEW
Component: vulnerability
Keywords: Security
Severity: high
Priority: high
Assignee: security-response-team(a)redhat.com
Reporter: gsuckevi(a)redhat.com
CC: abenaiss(a)redhat.com, aileenc(a)redhat.com,
akoufoud(a)redhat.com, alazarot(a)redhat.com,
almorale(a)redhat.com, anstephe(a)redhat.com,
aos-bugs(a)redhat.com, ataylor(a)redhat.com,
bibryam(a)redhat.com, bmontgom(a)redhat.com,
chazlett(a)redhat.com, drieden(a)redhat.com,
eparis(a)redhat.com, etirelli(a)redhat.com,
extras-orphan(a)fedoraproject.org,
fedoraproject.org(a)bluhm-de.com, ggaughan(a)redhat.com,
gmalinko(a)redhat.com, gvarsami(a)redhat.com,
hbraun(a)redhat.com, ibek(a)redhat.com,
janstey(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jburrell(a)redhat.com, jcoleman(a)redhat.com,
jnethert(a)redhat.com, jochrist(a)redhat.com,
jokerman(a)redhat.com, jolee(a)redhat.com,
jrokos(a)redhat.com, jross(a)redhat.com,
jschatte(a)redhat.com, jstastny(a)redhat.com,
jwon(a)redhat.com, kconner(a)redhat.com,
krathod(a)redhat.com, kverlaen(a)redhat.com,
ldimaggi(a)redhat.com, lkundrak(a)v3.sk,
mizdebsk(a)redhat.com, mnovotny(a)redhat.com,
nstielau(a)redhat.com, nwallace(a)redhat.com,
pantinor(a)redhat.com, pbhattac(a)redhat.com,
pdelbell(a)redhat.com, pjindal(a)redhat.com,
rrajasek(a)redhat.com, rwagner(a)redhat.com,
sponnaga(a)redhat.com, tcunning(a)redhat.com,
tkirby(a)redhat.com, tzimanyi(a)redhat.com
Target Milestone: ---
Classification: Other
XStream is a simple library to serialize objects to XML and back again. In
affected versions this vulnerability may allow a remote attacker to load and
execute arbitrary code from a remote host only by manipulating the processed
input stream. No user is affected, who followed the recommendation to setup
XStream's security framework with a whitelist limited to the minimal required
types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be
secured for general purpose.
References:
https://github.com/x-stream/xstream/security/advisories/GHSA-h7v4-7xg3-hxcchttps://x-stream.github.io/CVE-2021-39147.html
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1997775
Bug ID: 1997775
Summary: CVE-2021-39145 xstream: vulnerable to an arbitrary
code execution attack
Product: Security Response
Hardware: All
OS: Linux
Status: NEW
Component: vulnerability
Keywords: Security
Severity: high
Priority: high
Assignee: security-response-team(a)redhat.com
Reporter: gsuckevi(a)redhat.com
CC: abenaiss(a)redhat.com, aileenc(a)redhat.com,
akoufoud(a)redhat.com, alazarot(a)redhat.com,
almorale(a)redhat.com, anstephe(a)redhat.com,
aos-bugs(a)redhat.com, ataylor(a)redhat.com,
bibryam(a)redhat.com, bmontgom(a)redhat.com,
chazlett(a)redhat.com, drieden(a)redhat.com,
eparis(a)redhat.com, etirelli(a)redhat.com,
extras-orphan(a)fedoraproject.org,
fedoraproject.org(a)bluhm-de.com, ggaughan(a)redhat.com,
gmalinko(a)redhat.com, gvarsami(a)redhat.com,
hbraun(a)redhat.com, ibek(a)redhat.com,
janstey(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jburrell(a)redhat.com, jcoleman(a)redhat.com,
jnethert(a)redhat.com, jochrist(a)redhat.com,
jokerman(a)redhat.com, jolee(a)redhat.com,
jrokos(a)redhat.com, jross(a)redhat.com,
jschatte(a)redhat.com, jstastny(a)redhat.com,
jwon(a)redhat.com, kconner(a)redhat.com,
krathod(a)redhat.com, kverlaen(a)redhat.com,
ldimaggi(a)redhat.com, lkundrak(a)v3.sk,
mizdebsk(a)redhat.com, mnovotny(a)redhat.com,
nstielau(a)redhat.com, nwallace(a)redhat.com,
pantinor(a)redhat.com, pbhattac(a)redhat.com,
pdelbell(a)redhat.com, pjindal(a)redhat.com,
rrajasek(a)redhat.com, rwagner(a)redhat.com,
sponnaga(a)redhat.com, tcunning(a)redhat.com,
tkirby(a)redhat.com, tzimanyi(a)redhat.com
Target Milestone: ---
Classification: Other
XStream is a simple library to serialize objects to XML and back again. In
affected versions this vulnerability may allow a remote attacker to load and
execute arbitrary code from a remote host only by manipulating the processed
input stream. No user is affected, who followed the recommendation to setup
XStream's security framework with a whitelist limited to the minimal required
types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be
secured for general purpose.
References:
https://github.com/x-stream/xstream/security/advisories/GHSA-8jrj-525p-826vhttps://x-stream.github.io/CVE-2021-39145.html
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1997777
Bug ID: 1997777
Summary: CVE-2021-39146 xstream: vulnerable to an arbitrary
code execution attack
Product: Security Response
Hardware: All
OS: Linux
Status: NEW
Component: vulnerability
Keywords: Security
Severity: high
Priority: high
Assignee: security-response-team(a)redhat.com
Reporter: gsuckevi(a)redhat.com
CC: abenaiss(a)redhat.com, aileenc(a)redhat.com,
akoufoud(a)redhat.com, alazarot(a)redhat.com,
almorale(a)redhat.com, anstephe(a)redhat.com,
aos-bugs(a)redhat.com, ataylor(a)redhat.com,
bibryam(a)redhat.com, bmontgom(a)redhat.com,
chazlett(a)redhat.com, drieden(a)redhat.com,
eparis(a)redhat.com, etirelli(a)redhat.com,
extras-orphan(a)fedoraproject.org,
fedoraproject.org(a)bluhm-de.com, ggaughan(a)redhat.com,
gmalinko(a)redhat.com, gvarsami(a)redhat.com,
hbraun(a)redhat.com, ibek(a)redhat.com,
janstey(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jburrell(a)redhat.com, jcoleman(a)redhat.com,
jnethert(a)redhat.com, jochrist(a)redhat.com,
jokerman(a)redhat.com, jolee(a)redhat.com,
jrokos(a)redhat.com, jross(a)redhat.com,
jschatte(a)redhat.com, jstastny(a)redhat.com,
jwon(a)redhat.com, kconner(a)redhat.com,
krathod(a)redhat.com, kverlaen(a)redhat.com,
ldimaggi(a)redhat.com, lkundrak(a)v3.sk,
mizdebsk(a)redhat.com, mnovotny(a)redhat.com,
nstielau(a)redhat.com, nwallace(a)redhat.com,
pantinor(a)redhat.com, pbhattac(a)redhat.com,
pdelbell(a)redhat.com, pjindal(a)redhat.com,
rrajasek(a)redhat.com, rwagner(a)redhat.com,
sponnaga(a)redhat.com, tcunning(a)redhat.com,
tkirby(a)redhat.com, tzimanyi(a)redhat.com
Target Milestone: ---
Classification: Other
XStream is a simple library to serialize objects to XML and back again. In
affected versions this vulnerability may allow a remote attacker to load and
execute arbitrary code from a remote host only by manipulating the processed
input stream. No user is affected, who followed the recommendation to setup
XStream's security framework with a whitelist limited to the minimal required
types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be
secured for general purpose.
References:
https://github.com/x-stream/xstream/security/advisories/GHSA-p8pq-r894-fm8fhttps://x-stream.github.io/CVE-2021-39146.html
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1997769
Bug ID: 1997769
Summary: CVE-2021-39141 xstream: vulnerable to an arbitrary
code execution attack
Product: Security Response
Hardware: All
OS: Linux
Status: NEW
Component: vulnerability
Keywords: Security
Severity: high
Priority: high
Assignee: security-response-team(a)redhat.com
Reporter: gsuckevi(a)redhat.com
CC: abenaiss(a)redhat.com, aileenc(a)redhat.com,
akoufoud(a)redhat.com, alazarot(a)redhat.com,
almorale(a)redhat.com, anstephe(a)redhat.com,
aos-bugs(a)redhat.com, ataylor(a)redhat.com,
bibryam(a)redhat.com, bmontgom(a)redhat.com,
chazlett(a)redhat.com, drieden(a)redhat.com,
eparis(a)redhat.com, etirelli(a)redhat.com,
extras-orphan(a)fedoraproject.org,
fedoraproject.org(a)bluhm-de.com, ggaughan(a)redhat.com,
gmalinko(a)redhat.com, gvarsami(a)redhat.com,
hbraun(a)redhat.com, ibek(a)redhat.com,
janstey(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jburrell(a)redhat.com, jcoleman(a)redhat.com,
jnethert(a)redhat.com, jochrist(a)redhat.com,
jokerman(a)redhat.com, jolee(a)redhat.com,
jrokos(a)redhat.com, jross(a)redhat.com,
jschatte(a)redhat.com, jstastny(a)redhat.com,
jwon(a)redhat.com, kconner(a)redhat.com,
krathod(a)redhat.com, kverlaen(a)redhat.com,
ldimaggi(a)redhat.com, lkundrak(a)v3.sk,
mizdebsk(a)redhat.com, mnovotny(a)redhat.com,
nstielau(a)redhat.com, nwallace(a)redhat.com,
pantinor(a)redhat.com, pbhattac(a)redhat.com,
pdelbell(a)redhat.com, pjindal(a)redhat.com,
rrajasek(a)redhat.com, rwagner(a)redhat.com,
sponnaga(a)redhat.com, tcunning(a)redhat.com,
tkirby(a)redhat.com, tzimanyi(a)redhat.com
Target Milestone: ---
Classification: Other
XStream is a simple library to serialize objects to XML and back again. In
affected versions this vulnerability may allow a remote attacker to load and
execute arbitrary code from a remote host only by manipulating the processed
input stream. No user is affected, who followed the recommendation to setup
XStream's security framework with a whitelist limited to the minimal required
types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be
secured for general purpose.
References:
https://github.com/x-stream/xstream/security/advisories/GHSA-g5w6-mrj7-75h2https://x-stream.github.io/CVE-2021-39141.html
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1997763
Bug ID: 1997763
Summary: CVE-2021-39139 xstream: vulnerable to an arbitrary
code execution attack
Product: Security Response
Hardware: All
OS: Linux
Status: NEW
Component: vulnerability
Keywords: Security
Severity: high
Priority: high
Assignee: security-response-team(a)redhat.com
Reporter: gsuckevi(a)redhat.com
CC: abenaiss(a)redhat.com, aileenc(a)redhat.com,
akoufoud(a)redhat.com, alazarot(a)redhat.com,
almorale(a)redhat.com, anstephe(a)redhat.com,
aos-bugs(a)redhat.com, ataylor(a)redhat.com,
bibryam(a)redhat.com, bmontgom(a)redhat.com,
chazlett(a)redhat.com, drieden(a)redhat.com,
eparis(a)redhat.com, etirelli(a)redhat.com,
extras-orphan(a)fedoraproject.org,
fedoraproject.org(a)bluhm-de.com, ggaughan(a)redhat.com,
gmalinko(a)redhat.com, gvarsami(a)redhat.com,
hbraun(a)redhat.com, ibek(a)redhat.com,
janstey(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jburrell(a)redhat.com, jcoleman(a)redhat.com,
jnethert(a)redhat.com, jochrist(a)redhat.com,
jokerman(a)redhat.com, jolee(a)redhat.com,
jrokos(a)redhat.com, jross(a)redhat.com,
jschatte(a)redhat.com, jstastny(a)redhat.com,
jwon(a)redhat.com, kconner(a)redhat.com,
krathod(a)redhat.com, kverlaen(a)redhat.com,
ldimaggi(a)redhat.com, lkundrak(a)v3.sk,
mizdebsk(a)redhat.com, mnovotny(a)redhat.com,
nstielau(a)redhat.com, nwallace(a)redhat.com,
pantinor(a)redhat.com, pbhattac(a)redhat.com,
pdelbell(a)redhat.com, pjindal(a)redhat.com,
rrajasek(a)redhat.com, rwagner(a)redhat.com,
sponnaga(a)redhat.com, tcunning(a)redhat.com,
tkirby(a)redhat.com, tzimanyi(a)redhat.com
Target Milestone: ---
Classification: Other
XStream is a simple library to serialize objects to XML and back again. In
affected versions this vulnerability may allow a remote attacker to load and
execute arbitrary code from a remote host only by manipulating the processed
input stream. A user is only affected if using the version out of the box with
JDK 1.7u21 or below. However, this scenario can be adjusted easily to an
external Xalan that works regardless of the version of the Java runtime. No
user is affected, who followed the recommendation to setup XStream's security
framework with a whitelist limited to the minimal required types. XStream
1.4.18 uses no longer a blacklist by default, since it cannot be secured for
general purpose.
References:
https://github.com/x-stream/xstream/security/advisories/GHSA-64xx-cq4q-mf44https://x-stream.github.io/CVE-2021-39139.html
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1997765
Bug ID: 1997765
Summary: CVE-2021-39140 xstream: DoS by manipulating the
processed input stream
Product: Security Response
Hardware: All
OS: Linux
Status: NEW
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: gsuckevi(a)redhat.com
CC: abenaiss(a)redhat.com, aileenc(a)redhat.com,
akoufoud(a)redhat.com, alazarot(a)redhat.com,
almorale(a)redhat.com, anstephe(a)redhat.com,
aos-bugs(a)redhat.com, ataylor(a)redhat.com,
bibryam(a)redhat.com, bmontgom(a)redhat.com,
chazlett(a)redhat.com, drieden(a)redhat.com,
eparis(a)redhat.com, etirelli(a)redhat.com,
extras-orphan(a)fedoraproject.org,
fedoraproject.org(a)bluhm-de.com, ggaughan(a)redhat.com,
gmalinko(a)redhat.com, gvarsami(a)redhat.com,
hbraun(a)redhat.com, ibek(a)redhat.com,
janstey(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jburrell(a)redhat.com, jcoleman(a)redhat.com,
jnethert(a)redhat.com, jochrist(a)redhat.com,
jokerman(a)redhat.com, jolee(a)redhat.com,
jrokos(a)redhat.com, jross(a)redhat.com,
jschatte(a)redhat.com, jstastny(a)redhat.com,
jwon(a)redhat.com, kconner(a)redhat.com,
krathod(a)redhat.com, kverlaen(a)redhat.com,
ldimaggi(a)redhat.com, lkundrak(a)v3.sk,
mizdebsk(a)redhat.com, mnovotny(a)redhat.com,
nstielau(a)redhat.com, nwallace(a)redhat.com,
pantinor(a)redhat.com, pbhattac(a)redhat.com,
pdelbell(a)redhat.com, pjindal(a)redhat.com,
rrajasek(a)redhat.com, rwagner(a)redhat.com,
sponnaga(a)redhat.com, tcunning(a)redhat.com,
tkirby(a)redhat.com, tzimanyi(a)redhat.com
Target Milestone: ---
Classification: Other
XStream is a simple library to serialize objects to XML and back again. In
affected versions this vulnerability may allow a remote attacker to allocate
100% CPU time on the target system depending on CPU type or parallel execution
of such a payload resulting in a denial of service only by manipulating the
processed input stream. No user is affected, who followed the recommendation to
setup XStream's security framework with a whitelist limited to the minimal
required types. XStream 1.4.18 uses no longer a blacklist by default, since it
cannot be secured for general purpose.
References:
https://github.com/x-stream/xstream/security/advisories/GHSA-6wf9-jmg9-vxcchttps://x-stream.github.io/CVE-2021-39140.html
--
You are receiving this mail because:
You are on the CC list for the bug.