java-sig-commits February 2022

java-sig-commits@lists.fedoraproject.org

1 participants
218 discussions

[Bug 1997791] New: CVE-2021-39151 xstream: vulnerable to an arbitrary code execution attack
by bugzilla＠redhat.com 14 Feb '22

14 Feb '22

https://bugzilla.redhat.com/show_bug.cgi?id=1997791 Bug ID: 1997791 Summary: CVE-2021-39151 xstream: vulnerable to an arbitrary code execution attack Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: high Priority: high Assignee: security-response-team(a)redhat.com Reporter: gsuckevi(a)redhat.com CC: abenaiss(a)redhat.com, aileenc(a)redhat.com, akoufoud(a)redhat.com, alazarot(a)redhat.com, almorale(a)redhat.com, anstephe(a)redhat.com, aos-bugs(a)redhat.com, ataylor(a)redhat.com, bibryam(a)redhat.com, bmontgom(a)redhat.com, chazlett(a)redhat.com, drieden(a)redhat.com, eparis(a)redhat.com, etirelli(a)redhat.com, extras-orphan(a)fedoraproject.org, fedoraproject.org(a)bluhm-de.com, ggaughan(a)redhat.com, gmalinko(a)redhat.com, gvarsami(a)redhat.com, hbraun(a)redhat.com, ibek(a)redhat.com, janstey(a)redhat.com, java-sig-commits(a)lists.fedoraproject.org, jburrell(a)redhat.com, jcoleman(a)redhat.com, jnethert(a)redhat.com, jochrist(a)redhat.com, jokerman(a)redhat.com, jolee(a)redhat.com, jrokos(a)redhat.com, jross(a)redhat.com, jschatte(a)redhat.com, jstastny(a)redhat.com, jwon(a)redhat.com, kconner(a)redhat.com, krathod(a)redhat.com, kverlaen(a)redhat.com, ldimaggi(a)redhat.com, lkundrak(a)v3.sk, mizdebsk(a)redhat.com, mnovotny(a)redhat.com, nstielau(a)redhat.com, nwallace(a)redhat.com, pantinor(a)redhat.com, pbhattac(a)redhat.com, pdelbell(a)redhat.com, pjindal(a)redhat.com, rrajasek(a)redhat.com, rwagner(a)redhat.com, sponnaga(a)redhat.com, tcunning(a)redhat.com, tkirby(a)redhat.com, tzimanyi(a)redhat.com Target Milestone: --- Classification: Other XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose. References: https://github.com/x-stream/xstream/security/advisories/GHSA-hph2-m3g5-xxv4 https://x-stream.github.io/CVE-2021-39151.html -- You are receiving this mail because: You are on the CC list for the bug.

1 20

[Bug 1997786] New: CVE-2021-39150 xstream: SSRF can be activated unmarshalling with XStream to access data streams from an arbitrary URL referencing a resource in an intranet or the local host
by bugzilla＠redhat.com 14 Feb '22

14 Feb '22

https://bugzilla.redhat.com/show_bug.cgi?id=1997786 Bug ID: 1997786 Summary: CVE-2021-39150 xstream: SSRF can be activated unmarshalling with XStream to access data streams from an arbitrary URL referencing a resource in an intranet or the local host Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: high Priority: high Assignee: security-response-team(a)redhat.com Reporter: gsuckevi(a)redhat.com CC: abenaiss(a)redhat.com, aileenc(a)redhat.com, akoufoud(a)redhat.com, alazarot(a)redhat.com, almorale(a)redhat.com, anstephe(a)redhat.com, aos-bugs(a)redhat.com, ataylor(a)redhat.com, bibryam(a)redhat.com, bmontgom(a)redhat.com, chazlett(a)redhat.com, drieden(a)redhat.com, eparis(a)redhat.com, etirelli(a)redhat.com, extras-orphan(a)fedoraproject.org, fedoraproject.org(a)bluhm-de.com, ggaughan(a)redhat.com, gmalinko(a)redhat.com, gvarsami(a)redhat.com, hbraun(a)redhat.com, ibek(a)redhat.com, janstey(a)redhat.com, java-sig-commits(a)lists.fedoraproject.org, jburrell(a)redhat.com, jcoleman(a)redhat.com, jnethert(a)redhat.com, jochrist(a)redhat.com, jokerman(a)redhat.com, jolee(a)redhat.com, jrokos(a)redhat.com, jross(a)redhat.com, jschatte(a)redhat.com, jstastny(a)redhat.com, jwon(a)redhat.com, kconner(a)redhat.com, krathod(a)redhat.com, kverlaen(a)redhat.com, ldimaggi(a)redhat.com, lkundrak(a)v3.sk, mizdebsk(a)redhat.com, mnovotny(a)redhat.com, nstielau(a)redhat.com, nwallace(a)redhat.com, pantinor(a)redhat.com, pbhattac(a)redhat.com, pdelbell(a)redhat.com, pjindal(a)redhat.com, rrajasek(a)redhat.com, rwagner(a)redhat.com, sponnaga(a)redhat.com, tcunning(a)redhat.com, tkirby(a)redhat.com, tzimanyi(a)redhat.com Target Milestone: --- Classification: Other XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream with a Java runtime version 14 to 8. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the [Security Framework](https://x-stream.github.io/security.html#framework), you will have to use at least version 1.4.18. References: https://github.com/x-stream/xstream/security/advisories/GHSA-cxfm-5m4g-x7xp https://x-stream.github.io/CVE-2021-39150.html -- You are receiving this mail because: You are on the CC list for the bug.

1 20

[Bug 1997784] New: CVE-2021-39149 xstream: vulnerable to an arbitrary code execution attack
by bugzilla＠redhat.com 14 Feb '22

14 Feb '22

https://bugzilla.redhat.com/show_bug.cgi?id=1997784 Bug ID: 1997784 Summary: CVE-2021-39149 xstream: vulnerable to an arbitrary code execution attack Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: high Priority: high Assignee: security-response-team(a)redhat.com Reporter: gsuckevi(a)redhat.com CC: abenaiss(a)redhat.com, aileenc(a)redhat.com, akoufoud(a)redhat.com, alazarot(a)redhat.com, almorale(a)redhat.com, anstephe(a)redhat.com, aos-bugs(a)redhat.com, ataylor(a)redhat.com, bibryam(a)redhat.com, bmontgom(a)redhat.com, chazlett(a)redhat.com, drieden(a)redhat.com, eparis(a)redhat.com, etirelli(a)redhat.com, extras-orphan(a)fedoraproject.org, fedoraproject.org(a)bluhm-de.com, ggaughan(a)redhat.com, gmalinko(a)redhat.com, gvarsami(a)redhat.com, hbraun(a)redhat.com, ibek(a)redhat.com, janstey(a)redhat.com, java-sig-commits(a)lists.fedoraproject.org, jburrell(a)redhat.com, jcoleman(a)redhat.com, jnethert(a)redhat.com, jochrist(a)redhat.com, jokerman(a)redhat.com, jolee(a)redhat.com, jrokos(a)redhat.com, jross(a)redhat.com, jschatte(a)redhat.com, jstastny(a)redhat.com, jwon(a)redhat.com, kconner(a)redhat.com, krathod(a)redhat.com, kverlaen(a)redhat.com, ldimaggi(a)redhat.com, lkundrak(a)v3.sk, mizdebsk(a)redhat.com, mnovotny(a)redhat.com, nstielau(a)redhat.com, nwallace(a)redhat.com, pantinor(a)redhat.com, pbhattac(a)redhat.com, pdelbell(a)redhat.com, pjindal(a)redhat.com, rrajasek(a)redhat.com, rwagner(a)redhat.com, sponnaga(a)redhat.com, tcunning(a)redhat.com, tkirby(a)redhat.com, tzimanyi(a)redhat.com Target Milestone: --- Classification: Other XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose. References: https://github.com/x-stream/xstream/security/advisories/GHSA-3ccq-5vw3-2p6x https://x-stream.github.io/CVE-2021-39149.html -- You are receiving this mail because: You are on the CC list for the bug.

1 20

[Bug 1997781] New: CVE-2021-39148 xstream: vulnerable to an arbitrary code execution attack
by bugzilla＠redhat.com 14 Feb '22

14 Feb '22

https://bugzilla.redhat.com/show_bug.cgi?id=1997781 Bug ID: 1997781 Summary: CVE-2021-39148 xstream: vulnerable to an arbitrary code execution attack Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: high Priority: high Assignee: security-response-team(a)redhat.com Reporter: gsuckevi(a)redhat.com CC: abenaiss(a)redhat.com, aileenc(a)redhat.com, akoufoud(a)redhat.com, alazarot(a)redhat.com, almorale(a)redhat.com, anstephe(a)redhat.com, aos-bugs(a)redhat.com, ataylor(a)redhat.com, bibryam(a)redhat.com, bmontgom(a)redhat.com, chazlett(a)redhat.com, drieden(a)redhat.com, eparis(a)redhat.com, etirelli(a)redhat.com, extras-orphan(a)fedoraproject.org, fedoraproject.org(a)bluhm-de.com, ggaughan(a)redhat.com, gmalinko(a)redhat.com, gvarsami(a)redhat.com, hbraun(a)redhat.com, ibek(a)redhat.com, janstey(a)redhat.com, java-sig-commits(a)lists.fedoraproject.org, jburrell(a)redhat.com, jcoleman(a)redhat.com, jnethert(a)redhat.com, jochrist(a)redhat.com, jokerman(a)redhat.com, jolee(a)redhat.com, jrokos(a)redhat.com, jross(a)redhat.com, jschatte(a)redhat.com, jstastny(a)redhat.com, jwon(a)redhat.com, kconner(a)redhat.com, krathod(a)redhat.com, kverlaen(a)redhat.com, ldimaggi(a)redhat.com, lkundrak(a)v3.sk, mizdebsk(a)redhat.com, mnovotny(a)redhat.com, nstielau(a)redhat.com, nwallace(a)redhat.com, pantinor(a)redhat.com, pbhattac(a)redhat.com, pdelbell(a)redhat.com, pjindal(a)redhat.com, rrajasek(a)redhat.com, rwagner(a)redhat.com, sponnaga(a)redhat.com, tcunning(a)redhat.com, tkirby(a)redhat.com, tzimanyi(a)redhat.com Target Milestone: --- Classification: Other XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose. References: https://github.com/x-stream/xstream/security/advisories/GHSA-qrx8-8545-4wg2 https://x-stream.github.io/CVE-2021-39148.html -- You are receiving this mail because: You are on the CC list for the bug.

1 20

[Bug 1997779] New: CVE-2021-39147 xstream: vulnerable to an arbitrary code execution attack
by bugzilla＠redhat.com 14 Feb '22

14 Feb '22

https://bugzilla.redhat.com/show_bug.cgi?id=1997779 Bug ID: 1997779 Summary: CVE-2021-39147 xstream: vulnerable to an arbitrary code execution attack Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: high Priority: high Assignee: security-response-team(a)redhat.com Reporter: gsuckevi(a)redhat.com CC: abenaiss(a)redhat.com, aileenc(a)redhat.com, akoufoud(a)redhat.com, alazarot(a)redhat.com, almorale(a)redhat.com, anstephe(a)redhat.com, aos-bugs(a)redhat.com, ataylor(a)redhat.com, bibryam(a)redhat.com, bmontgom(a)redhat.com, chazlett(a)redhat.com, drieden(a)redhat.com, eparis(a)redhat.com, etirelli(a)redhat.com, extras-orphan(a)fedoraproject.org, fedoraproject.org(a)bluhm-de.com, ggaughan(a)redhat.com, gmalinko(a)redhat.com, gvarsami(a)redhat.com, hbraun(a)redhat.com, ibek(a)redhat.com, janstey(a)redhat.com, java-sig-commits(a)lists.fedoraproject.org, jburrell(a)redhat.com, jcoleman(a)redhat.com, jnethert(a)redhat.com, jochrist(a)redhat.com, jokerman(a)redhat.com, jolee(a)redhat.com, jrokos(a)redhat.com, jross(a)redhat.com, jschatte(a)redhat.com, jstastny(a)redhat.com, jwon(a)redhat.com, kconner(a)redhat.com, krathod(a)redhat.com, kverlaen(a)redhat.com, ldimaggi(a)redhat.com, lkundrak(a)v3.sk, mizdebsk(a)redhat.com, mnovotny(a)redhat.com, nstielau(a)redhat.com, nwallace(a)redhat.com, pantinor(a)redhat.com, pbhattac(a)redhat.com, pdelbell(a)redhat.com, pjindal(a)redhat.com, rrajasek(a)redhat.com, rwagner(a)redhat.com, sponnaga(a)redhat.com, tcunning(a)redhat.com, tkirby(a)redhat.com, tzimanyi(a)redhat.com Target Milestone: --- Classification: Other XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose. References: https://github.com/x-stream/xstream/security/advisories/GHSA-h7v4-7xg3-hxcc https://x-stream.github.io/CVE-2021-39147.html -- You are receiving this mail because: You are on the CC list for the bug.

1 21

[Bug 1997775] New: CVE-2021-39145 xstream: vulnerable to an arbitrary code execution attack
by bugzilla＠redhat.com 14 Feb '22

14 Feb '22

https://bugzilla.redhat.com/show_bug.cgi?id=1997775 Bug ID: 1997775 Summary: CVE-2021-39145 xstream: vulnerable to an arbitrary code execution attack Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: high Priority: high Assignee: security-response-team(a)redhat.com Reporter: gsuckevi(a)redhat.com CC: abenaiss(a)redhat.com, aileenc(a)redhat.com, akoufoud(a)redhat.com, alazarot(a)redhat.com, almorale(a)redhat.com, anstephe(a)redhat.com, aos-bugs(a)redhat.com, ataylor(a)redhat.com, bibryam(a)redhat.com, bmontgom(a)redhat.com, chazlett(a)redhat.com, drieden(a)redhat.com, eparis(a)redhat.com, etirelli(a)redhat.com, extras-orphan(a)fedoraproject.org, fedoraproject.org(a)bluhm-de.com, ggaughan(a)redhat.com, gmalinko(a)redhat.com, gvarsami(a)redhat.com, hbraun(a)redhat.com, ibek(a)redhat.com, janstey(a)redhat.com, java-sig-commits(a)lists.fedoraproject.org, jburrell(a)redhat.com, jcoleman(a)redhat.com, jnethert(a)redhat.com, jochrist(a)redhat.com, jokerman(a)redhat.com, jolee(a)redhat.com, jrokos(a)redhat.com, jross(a)redhat.com, jschatte(a)redhat.com, jstastny(a)redhat.com, jwon(a)redhat.com, kconner(a)redhat.com, krathod(a)redhat.com, kverlaen(a)redhat.com, ldimaggi(a)redhat.com, lkundrak(a)v3.sk, mizdebsk(a)redhat.com, mnovotny(a)redhat.com, nstielau(a)redhat.com, nwallace(a)redhat.com, pantinor(a)redhat.com, pbhattac(a)redhat.com, pdelbell(a)redhat.com, pjindal(a)redhat.com, rrajasek(a)redhat.com, rwagner(a)redhat.com, sponnaga(a)redhat.com, tcunning(a)redhat.com, tkirby(a)redhat.com, tzimanyi(a)redhat.com Target Milestone: --- Classification: Other XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose. References: https://github.com/x-stream/xstream/security/advisories/GHSA-8jrj-525p-826v https://x-stream.github.io/CVE-2021-39145.html -- You are receiving this mail because: You are on the CC list for the bug.

1 20

[Bug 1997777] New: CVE-2021-39146 xstream: vulnerable to an arbitrary code execution attack
by bugzilla＠redhat.com 14 Feb '22

14 Feb '22

https://bugzilla.redhat.com/show_bug.cgi?id=1997777 Bug ID: 1997777 Summary: CVE-2021-39146 xstream: vulnerable to an arbitrary code execution attack Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: high Priority: high Assignee: security-response-team(a)redhat.com Reporter: gsuckevi(a)redhat.com CC: abenaiss(a)redhat.com, aileenc(a)redhat.com, akoufoud(a)redhat.com, alazarot(a)redhat.com, almorale(a)redhat.com, anstephe(a)redhat.com, aos-bugs(a)redhat.com, ataylor(a)redhat.com, bibryam(a)redhat.com, bmontgom(a)redhat.com, chazlett(a)redhat.com, drieden(a)redhat.com, eparis(a)redhat.com, etirelli(a)redhat.com, extras-orphan(a)fedoraproject.org, fedoraproject.org(a)bluhm-de.com, ggaughan(a)redhat.com, gmalinko(a)redhat.com, gvarsami(a)redhat.com, hbraun(a)redhat.com, ibek(a)redhat.com, janstey(a)redhat.com, java-sig-commits(a)lists.fedoraproject.org, jburrell(a)redhat.com, jcoleman(a)redhat.com, jnethert(a)redhat.com, jochrist(a)redhat.com, jokerman(a)redhat.com, jolee(a)redhat.com, jrokos(a)redhat.com, jross(a)redhat.com, jschatte(a)redhat.com, jstastny(a)redhat.com, jwon(a)redhat.com, kconner(a)redhat.com, krathod(a)redhat.com, kverlaen(a)redhat.com, ldimaggi(a)redhat.com, lkundrak(a)v3.sk, mizdebsk(a)redhat.com, mnovotny(a)redhat.com, nstielau(a)redhat.com, nwallace(a)redhat.com, pantinor(a)redhat.com, pbhattac(a)redhat.com, pdelbell(a)redhat.com, pjindal(a)redhat.com, rrajasek(a)redhat.com, rwagner(a)redhat.com, sponnaga(a)redhat.com, tcunning(a)redhat.com, tkirby(a)redhat.com, tzimanyi(a)redhat.com Target Milestone: --- Classification: Other XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose. References: https://github.com/x-stream/xstream/security/advisories/GHSA-p8pq-r894-fm8f https://x-stream.github.io/CVE-2021-39146.html -- You are receiving this mail because: You are on the CC list for the bug.

1 20

[Bug 1997769] New: CVE-2021-39141 xstream: vulnerable to an arbitrary code execution attack
by bugzilla＠redhat.com 14 Feb '22

14 Feb '22

https://bugzilla.redhat.com/show_bug.cgi?id=1997769 Bug ID: 1997769 Summary: CVE-2021-39141 xstream: vulnerable to an arbitrary code execution attack Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: high Priority: high Assignee: security-response-team(a)redhat.com Reporter: gsuckevi(a)redhat.com CC: abenaiss(a)redhat.com, aileenc(a)redhat.com, akoufoud(a)redhat.com, alazarot(a)redhat.com, almorale(a)redhat.com, anstephe(a)redhat.com, aos-bugs(a)redhat.com, ataylor(a)redhat.com, bibryam(a)redhat.com, bmontgom(a)redhat.com, chazlett(a)redhat.com, drieden(a)redhat.com, eparis(a)redhat.com, etirelli(a)redhat.com, extras-orphan(a)fedoraproject.org, fedoraproject.org(a)bluhm-de.com, ggaughan(a)redhat.com, gmalinko(a)redhat.com, gvarsami(a)redhat.com, hbraun(a)redhat.com, ibek(a)redhat.com, janstey(a)redhat.com, java-sig-commits(a)lists.fedoraproject.org, jburrell(a)redhat.com, jcoleman(a)redhat.com, jnethert(a)redhat.com, jochrist(a)redhat.com, jokerman(a)redhat.com, jolee(a)redhat.com, jrokos(a)redhat.com, jross(a)redhat.com, jschatte(a)redhat.com, jstastny(a)redhat.com, jwon(a)redhat.com, kconner(a)redhat.com, krathod(a)redhat.com, kverlaen(a)redhat.com, ldimaggi(a)redhat.com, lkundrak(a)v3.sk, mizdebsk(a)redhat.com, mnovotny(a)redhat.com, nstielau(a)redhat.com, nwallace(a)redhat.com, pantinor(a)redhat.com, pbhattac(a)redhat.com, pdelbell(a)redhat.com, pjindal(a)redhat.com, rrajasek(a)redhat.com, rwagner(a)redhat.com, sponnaga(a)redhat.com, tcunning(a)redhat.com, tkirby(a)redhat.com, tzimanyi(a)redhat.com Target Milestone: --- Classification: Other XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose. References: https://github.com/x-stream/xstream/security/advisories/GHSA-g5w6-mrj7-75h2 https://x-stream.github.io/CVE-2021-39141.html -- You are receiving this mail because: You are on the CC list for the bug.

1 20

[Bug 1997763] New: CVE-2021-39139 xstream: vulnerable to an arbitrary code execution attack
by bugzilla＠redhat.com 14 Feb '22

14 Feb '22

https://bugzilla.redhat.com/show_bug.cgi?id=1997763 Bug ID: 1997763 Summary: CVE-2021-39139 xstream: vulnerable to an arbitrary code execution attack Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: high Priority: high Assignee: security-response-team(a)redhat.com Reporter: gsuckevi(a)redhat.com CC: abenaiss(a)redhat.com, aileenc(a)redhat.com, akoufoud(a)redhat.com, alazarot(a)redhat.com, almorale(a)redhat.com, anstephe(a)redhat.com, aos-bugs(a)redhat.com, ataylor(a)redhat.com, bibryam(a)redhat.com, bmontgom(a)redhat.com, chazlett(a)redhat.com, drieden(a)redhat.com, eparis(a)redhat.com, etirelli(a)redhat.com, extras-orphan(a)fedoraproject.org, fedoraproject.org(a)bluhm-de.com, ggaughan(a)redhat.com, gmalinko(a)redhat.com, gvarsami(a)redhat.com, hbraun(a)redhat.com, ibek(a)redhat.com, janstey(a)redhat.com, java-sig-commits(a)lists.fedoraproject.org, jburrell(a)redhat.com, jcoleman(a)redhat.com, jnethert(a)redhat.com, jochrist(a)redhat.com, jokerman(a)redhat.com, jolee(a)redhat.com, jrokos(a)redhat.com, jross(a)redhat.com, jschatte(a)redhat.com, jstastny(a)redhat.com, jwon(a)redhat.com, kconner(a)redhat.com, krathod(a)redhat.com, kverlaen(a)redhat.com, ldimaggi(a)redhat.com, lkundrak(a)v3.sk, mizdebsk(a)redhat.com, mnovotny(a)redhat.com, nstielau(a)redhat.com, nwallace(a)redhat.com, pantinor(a)redhat.com, pbhattac(a)redhat.com, pdelbell(a)redhat.com, pjindal(a)redhat.com, rrajasek(a)redhat.com, rwagner(a)redhat.com, sponnaga(a)redhat.com, tcunning(a)redhat.com, tkirby(a)redhat.com, tzimanyi(a)redhat.com Target Milestone: --- Classification: Other XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. A user is only affected if using the version out of the box with JDK 1.7u21 or below. However, this scenario can be adjusted easily to an external Xalan that works regardless of the version of the Java runtime. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose. References: https://github.com/x-stream/xstream/security/advisories/GHSA-64xx-cq4q-mf44 https://x-stream.github.io/CVE-2021-39139.html -- You are receiving this mail because: You are on the CC list for the bug.

1 21

[Bug 1997765] New: CVE-2021-39140 xstream: DoS by manipulating the processed input stream
by bugzilla＠redhat.com 14 Feb '22

14 Feb '22

https://bugzilla.redhat.com/show_bug.cgi?id=1997765 Bug ID: 1997765 Summary: CVE-2021-39140 xstream: DoS by manipulating the processed input stream Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team(a)redhat.com Reporter: gsuckevi(a)redhat.com CC: abenaiss(a)redhat.com, aileenc(a)redhat.com, akoufoud(a)redhat.com, alazarot(a)redhat.com, almorale(a)redhat.com, anstephe(a)redhat.com, aos-bugs(a)redhat.com, ataylor(a)redhat.com, bibryam(a)redhat.com, bmontgom(a)redhat.com, chazlett(a)redhat.com, drieden(a)redhat.com, eparis(a)redhat.com, etirelli(a)redhat.com, extras-orphan(a)fedoraproject.org, fedoraproject.org(a)bluhm-de.com, ggaughan(a)redhat.com, gmalinko(a)redhat.com, gvarsami(a)redhat.com, hbraun(a)redhat.com, ibek(a)redhat.com, janstey(a)redhat.com, java-sig-commits(a)lists.fedoraproject.org, jburrell(a)redhat.com, jcoleman(a)redhat.com, jnethert(a)redhat.com, jochrist(a)redhat.com, jokerman(a)redhat.com, jolee(a)redhat.com, jrokos(a)redhat.com, jross(a)redhat.com, jschatte(a)redhat.com, jstastny(a)redhat.com, jwon(a)redhat.com, kconner(a)redhat.com, krathod(a)redhat.com, kverlaen(a)redhat.com, ldimaggi(a)redhat.com, lkundrak(a)v3.sk, mizdebsk(a)redhat.com, mnovotny(a)redhat.com, nstielau(a)redhat.com, nwallace(a)redhat.com, pantinor(a)redhat.com, pbhattac(a)redhat.com, pdelbell(a)redhat.com, pjindal(a)redhat.com, rrajasek(a)redhat.com, rwagner(a)redhat.com, sponnaga(a)redhat.com, tcunning(a)redhat.com, tkirby(a)redhat.com, tzimanyi(a)redhat.com Target Milestone: --- Classification: Other XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose. References: https://github.com/x-stream/xstream/security/advisories/GHSA-6wf9-jmg9-vxcc https://x-stream.github.io/CVE-2021-39140.html -- You are receiving this mail because: You are on the CC list for the bug.

1 19

Jump to page:

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

java-sig-commits February 2022