Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

fstec логотип

BDU:2021-05501

Опубликовано: 12 мар. 2021
Источник: fstec
CVSS3: 9.8
CVSS2: 10
EPSS Низкий

Описание

Уязвимость Java-библиотеки Xstream для преобразования объектов в форматы XML или JSON связана с неограниченной загрузкой файлов опасного типа. Эксплуатация уязвимости может позволить нарушителю, действующему удаленно, загружать и выполнять произвольный код с удаленного хоста путем манипулирования обработанным входным потоком данных

Вендор

Red Hat Inc.
Сообщество свободного программного обеспечения
Canonical Ltd.
Oracle Corp.
Novell Inc.
Fedora Project
Xstream Project
Apache Software Foundation
McAfee Inc.

Наименование ПО

Red Hat Enterprise Linux
Debian GNU/Linux
Ubuntu
Oracle Communications Unified Inventory Management
Red Hat JBoss Fuse
Red Hat Descision Manager
openSUSE Tumbleweed
Red Hat JBoss Data Virtualization
Red Hat BPM Suite
Red Hat JBoss Data Grid
OpenSUSE Leap
Red Hat Process Automation
Fedora
Oracle Business Activity Monitoring
Oracle Banking Platform
Red Hat Integration Camel K
Red Hat Integration Camel Quarkus
XStream
Log4j
Oracle Communications BRM
Oracle Banking Enterprise Default Management
Oracle Retail Xstore Point of Service
Oracle Communications Policy Management
Oracle Banking Virtual Account Management
Red Hat Data Grid
Red Hat CodeReady Studio
Red Hat JBoss A-MQ
Red Hat JBoss BRMS
Red Hat JBoss Fuse Service Works
Red Hat JBoss SOA Platform
Oracle WebCenter Portal
McAfee Web Gateway

Версия ПО

7 (Red Hat Enterprise Linux)
9 (Debian GNU/Linux)
18.04 LTS (Ubuntu)
7.3.2 (Oracle Communications Unified Inventory Management)
7.3.4 (Oracle Communications Unified Inventory Management)
7.3.5 (Oracle Communications Unified Inventory Management)
7.4.0 (Oracle Communications Unified Inventory Management)
7 (Red Hat JBoss Fuse)
6 (Red Hat JBoss Fuse)
7 (Red Hat Descision Manager)
- (openSUSE Tumbleweed)
6 (Red Hat JBoss Data Virtualization)
6 (Red Hat BPM Suite)
20.04 LTS (Ubuntu)
20.10 (Ubuntu)
7 (Red Hat JBoss Data Grid)
15.2 (OpenSUSE Leap)
7 (Red Hat Process Automation)
33 (Fedora)
21.04 (Ubuntu)
11.1.1.9.0 (Oracle Business Activity Monitoring)
12.2.1.3.0 (Oracle Business Activity Monitoring)
34 (Fedora)
2.4.0 (Oracle Banking Platform)
2.7.1 (Oracle Banking Platform)
2.9.0 (Oracle Banking Platform)
- (Red Hat Integration Camel K)
15.3 (OpenSUSE Leap)
- (Red Hat Integration Camel Quarkus)
35 (Fedora)
до 1.4.16 (XStream)
до 5.17.0 (Log4j)
12.0.0.3.0 (Oracle Communications BRM)
2.10.0 (Oracle Banking Enterprise Default Management)
2.12.0 (Oracle Banking Enterprise Default Management)
12.2.1.4.0 (Oracle Business Activity Monitoring)
16.0.6 (Oracle Retail Xstore Point of Service)
17.0.4 (Oracle Retail Xstore Point of Service)
18.0.3 (Oracle Retail Xstore Point of Service)
19.0.2 (Oracle Retail Xstore Point of Service)
12.5.0 (Oracle Communications Policy Management)
14.2 (Oracle Banking Virtual Account Management)
14.3 (Oracle Banking Virtual Account Management)
14.5 (Oracle Banking Virtual Account Management)
8 (Red Hat Data Grid)
12 (Red Hat CodeReady Studio)
6 (Red Hat JBoss A-MQ)
5 (Red Hat JBoss BRMS)
6 (Red Hat JBoss BRMS)
6 (Red Hat JBoss Fuse Service Works)
5 (Red Hat JBoss SOA Platform)
7.4.1 (Oracle Communications Unified Inventory Management)
2.12.0 (Oracle Banking Platform)
11.1.1.9.0 (Oracle WebCenter Portal)
12.2.1.3.0 (Oracle WebCenter Portal)
12.2.1.4.0 (Oracle WebCenter Portal)
до 8.2.22 (McAfee Web Gateway)

Тип ПО

Операционная система
Прикладное ПО информационных систем
Сетевое средство
ПО программно-аппаратных средств защиты

Операционные системы и аппаратные платформы

Red Hat Inc. Red Hat Enterprise Linux 7
Сообщество свободного программного обеспечения Debian GNU/Linux 9
Canonical Ltd. Ubuntu 18.04 LTS
Canonical Ltd. Ubuntu 20.04 LTS
Canonical Ltd. Ubuntu 20.10
Novell Inc. OpenSUSE Leap 15.2
Fedora Project Fedora 33
Canonical Ltd. Ubuntu 21.04
Fedora Project Fedora 34
Novell Inc. OpenSUSE Leap 15.3
Fedora Project Fedora 35

Уровень опасности уязвимости

Критический уровень опасности (базовая оценка CVSS 2.0 составляет 10)
Критический уровень опасности (базовая оценка CVSS 3.0 составляет 9,8)

Возможные меры по устранению уязвимости

Использование рекомендаций:
Для xstream:
https://x-stream.github.io/CVE-2021-21347.html
https://x-stream.github.io/security.html#workaround
Для Debian GNU/Linux:
https://security-tracker.debian.org/tracker/CVE-2021-21347
https://lists.debian.org/debian-lts-announce/2021/04/msg00002.html
Для Apache:
https://lists.apache.org/thread/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd@%3cusers.activemq.apache.org%3e
https://issues.apache.org/jira/browse/AMQ-7426
Для Ubuntu:
https://ubuntu.com/security/CVE-2021-21347
https://ubuntu.com/security/notices/USN-4943-1
Для Fedora:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/
Для программных продуктов Oracle Corp.:
https://www.oracle.com//security-alerts/cpujul2021.html
https://www.oracle.com/security-alerts/cpuoct2021.html
Для программных продуктов Red Hat Inc.:
https://access.redhat.com/security/cve/cve-2021-21347
Для программных продуктов Novell Inc.:
https://www.suse.com/security/cve/CVE-2021-21347.html
Для McAfee Inc.:
https://docs.mcafee.com/ru-RU/bundle/web-gateway-8.2.x-release-notes/page/GUID-66AC8C57-9C6E-4785-994A-641F156C0E0B.html

Статус уязвимости

Подтверждена производителем

Наличие эксплойта

Существует в открытом доступе

Информация об устранении

Уязвимость устранена

Ссылки на источники

Идентификаторы других систем описаний уязвимостей

EPSS

Процентиль: 85%
0.02642
Низкий

9.8 Critical

CVSS3

10 Critical

CVSS2

Связанные уязвимости

ubuntu логотип

CVE-2021-21347

CVSS3: 6.1
ubuntu
около 4 лет назад

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.

redhat логотип

CVE-2021-21347

CVSS3: 8.1
redhat
больше 4 лет назад

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.

nvd логотип

CVE-2021-21347

CVSS3: 6.1
nvd
около 4 лет назад

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.

debian логотип

CVE-2021-21347

CVSS3: 6.1
debian
около 4 лет назад

XStream is a Java library to serialize objects to XML and back again. ...

github логотип

GHSA-qpfq-ph7r-qv6f

CVSS3: 6.1
github
около 4 лет назад

XStream is vulnerable to an Arbitrary Code Execution attack

EPSS

Процентиль: 85%
0.02642
Низкий

9.8 Critical

CVSS3

10 Critical

CVSS2