BDU:2021-05946

Опубликовано: 12 мар. 2021

Источник: fstec

CVSS3: 9.9

CVSS2: 9

EPSS Высокий

Описание

Уязвимость Java-библиотеки Xstream для преобразования объектов в форматы XML или JSON связана с неверным управлением генерацией кода. Эксплуатация уязвимости может позволить нарушителю, действующему удаленно, выполнять команды на хосте путем манипулирования обработанным входным потоком данных

Вендор

Red Hat Inc.

Сообщество свободного программного обеспечения

Canonical Ltd.

Oracle Corp.

Novell Inc.

Fedora Project

Xstream Project

Apache Software Foundation

McAfee Inc.

Наименование ПО

Red Hat Enterprise Linux

Debian GNU/Linux

Ubuntu

Oracle Communications Unified Inventory Management

Red Hat JBoss Fuse

Red Hat Descision Manager

openSUSE Tumbleweed

Oracle Endeca Information Discovery Studio

Red Hat JBoss Data Virtualization

Red Hat BPM Suite

Red Hat JBoss Data Grid

OpenSUSE Leap

Red Hat Process Automation

Fedora

Oracle Banking Credit Facilities Process Management

Oracle Banking Corporate Lending Process Management

Oracle Business Activity Monitoring

Oracle Banking Platform

Red Hat Integration Camel K

Red Hat Integration Camel Quarkus

XStream

Log4j

Oracle Communications BRM

Oracle Banking Enterprise Default Management

Oracle Retail Xstore Point of Service

Oracle Communications Policy Management

Oracle Banking Virtual Account Management

Red Hat Data Grid

Red Hat CodeReady Studio

Red Hat JBoss A-MQ

Red Hat JBoss BRMS

Red Hat JBoss Fuse Service Works

Red Hat JBoss SOA Platform

Oracle WebCenter Portal

Oracle Banking Cash Management

Oracle Banking Supply Chain Finance

McAfee Web Gateway

Версия ПО

7 (Red Hat Enterprise Linux)

9 (Debian GNU/Linux)

18.04 LTS (Ubuntu)

7.3.2 (Oracle Communications Unified Inventory Management)

7.3.4 (Oracle Communications Unified Inventory Management)

7.3.5 (Oracle Communications Unified Inventory Management)

7.4.0 (Oracle Communications Unified Inventory Management)

7 (Red Hat JBoss Fuse)

6 (Red Hat JBoss Fuse)

7 (Red Hat Descision Manager)

- (openSUSE Tumbleweed)

3.2.0 (Oracle Endeca Information Discovery Studio)

6 (Red Hat JBoss Data Virtualization)

6 (Red Hat BPM Suite)

20.04 LTS (Ubuntu)

20.10 (Ubuntu)

7 (Red Hat JBoss Data Grid)

15.2 (OpenSUSE Leap)

7 (Red Hat Process Automation)

33 (Fedora)

21.04 (Ubuntu)

14.3.0 (Oracle Banking Credit Facilities Process Management)

14.3.0 (Oracle Banking Corporate Lending Process Management)

11.1.1.9.0 (Oracle Business Activity Monitoring)

12.2.1.3.0 (Oracle Business Activity Monitoring)

34 (Fedora)

2.4.0 (Oracle Banking Platform)

2.9.0 (Oracle Banking Platform)

- (Red Hat Integration Camel K)

15.3 (OpenSUSE Leap)

- (Red Hat Integration Camel Quarkus)

35 (Fedora)

до 1.4.16 (XStream)

до 5.17.0 (Log4j)

12.0.0.3.0 (Oracle Communications BRM)

2.10.0 (Oracle Banking Enterprise Default Management)

2.12.0 (Oracle Banking Enterprise Default Management)

12.2.1.4.0 (Oracle Business Activity Monitoring)

16.0.6 (Oracle Retail Xstore Point of Service)

17.0.4 (Oracle Retail Xstore Point of Service)

18.0.3 (Oracle Retail Xstore Point of Service)

19.0.2 (Oracle Retail Xstore Point of Service)

12.5.0 (Oracle Communications Policy Management)

14.2 (Oracle Banking Virtual Account Management)

14.3 (Oracle Banking Virtual Account Management)

14.5 (Oracle Banking Virtual Account Management)

8 (Red Hat Data Grid)

12 (Red Hat CodeReady Studio)

6 (Red Hat JBoss A-MQ)

5 (Red Hat JBoss BRMS)

6 (Red Hat JBoss BRMS)

6 (Red Hat JBoss Fuse Service Works)

5 (Red Hat JBoss SOA Platform)

7.4.1 (Oracle Communications Unified Inventory Management)

2.12.0 (Oracle Banking Platform)

11.1.1.9.0 (Oracle WebCenter Portal)

12.2.1.3.0 (Oracle WebCenter Portal)

12.2.1.4.0 (Oracle WebCenter Portal)

14.2 (Oracle Banking Corporate Lending Process Management)

14.5 (Oracle Banking Corporate Lending Process Management)

14.2 (Oracle Banking Credit Facilities Process Management)

14.5 (Oracle Banking Credit Facilities Process Management)

14.2 (Oracle Banking Cash Management)

14.3 (Oracle Banking Cash Management)

14.5 (Oracle Banking Cash Management)

14.2 (Oracle Banking Supply Chain Finance)

14.3 (Oracle Banking Supply Chain Finance)

14.5 (Oracle Banking Supply Chain Finance)

до 8.2.22 (McAfee Web Gateway)

Тип ПО

Операционная система

Прикладное ПО информационных систем

Сетевое средство

ПО программно-аппаратных средств защиты

Операционные системы и аппаратные платформы

Red Hat Inc. Red Hat Enterprise Linux 7

Сообщество свободного программного обеспечения Debian GNU/Linux 9

Canonical Ltd. Ubuntu 18.04 LTS

Canonical Ltd. Ubuntu 20.04 LTS

Canonical Ltd. Ubuntu 20.10

Novell Inc. OpenSUSE Leap 15.2

Fedora Project Fedora 33

Canonical Ltd. Ubuntu 21.04

Fedora Project Fedora 34

Novell Inc. OpenSUSE Leap 15.3

Fedora Project Fedora 35

Уровень опасности уязвимости

Высокий уровень опасности (базовая оценка CVSS 2.0 составляет 9)

Критический уровень опасности (базовая оценка CVSS 3.0 составляет 9,6)

Возможные меры по устранению уязвимости

Использование рекомендаций:

Для xstream:

https://x-stream.github.io/security.html#workaround

https://x-stream.github.io/CVE-2021-21345.html

Для Debian GNU/Linux:

https://security-tracker.debian.org/tracker/CVE-2021-21345

https://lists.debian.org/debian-lts-announce/2021/04/msg00002.html

Для Apache:

https://lists.apache.org/thread/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd@%3cusers.activemq.apache.org%3e

https://issues.apache.org/jira/browse/AMQ-7426

Для Ubuntu:

https://ubuntu.com/security/CVE-2021-21344

https://ubuntu.com/security/notices/USN-4943-1

Для Fedora:

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/

Для программных продуктов Oracle Corp.:

https://www.oracle.com//security-alerts/cpujul2021.html

https://www.oracle.com/security-alerts/cpuoct2021.html

Для программных продуктов Red Hat Inc.:

https://access.redhat.com/security/cve/cve-2021-21345

Для программных продуктов Novell Inc.:

https://www.suse.com/security/cve/CVE-2021-21345.html

Для McAfee Inc.:

https://docs.mcafee.com/ru-RU/bundle/web-gateway-8.2.x-release-notes/page/GUID-66AC8C57-9C6E-4785-994A-641F156C0E0B.html

Статус уязвимости

Подтверждена производителем

Наличие эксплойта

Существует в открытом доступе

Информация об устранении

Уязвимость устранена

Ссылки на источники

Идентификаторы других систем описаний уязвимостей

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-21345
CVE

EPSS

Процентиль: 99%

0.86687

Высокий

9.9 Critical

CVSS3

9 Critical

CVSS2

Связанные уязвимости

CVE-2021-21345

CVSS3: 5.8

ubuntu

около 4 лет назад

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker who has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.

CVE-2021-21345

CVSS3: 8.5

redhat

больше 4 лет назад

CVE-2021-21345

CVSS3: 5.8

nvd

около 4 лет назад

CVE-2021-21345

CVSS3: 5.8

debian

около 4 лет назад

XStream is a Java library to serialize objects to XML and back again. ...

GHSA-hwpc-8xqv-jvj4

CVSS3: 5.8

github

около 4 лет назад

XStream is vulnerable to a Remote Command Execution attack

EPSS

Процентиль: 99%

0.86687

Высокий

9.9 Critical

CVSS3

9 Critical

CVSS2