Описание
XStream is software for serializing Java objects to XML and back again. A vulnerability in XStream versions prior to 1.4.17 may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types is affected. The vulnerability is patched in version 1.4.17.
A flaw was found in XStream. By manipulating the processed input stream, a remote attacker may be able to obtain sufficient rights to execute commands. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Отчет
OpenShift Container Platform (OCP) delivers Jenkins LTS package with bundled XStream library. Due to JEP-200 [1] and JEP-228 [2] Jenkins projects, OCP Jenkins package is not affected by this flaw. CodeReady Studio 12 ships a version of xstream that is affected by this flaw as a transitive dependency for the Wise framework plugin. However, the vulnerable code is not called, so this flaw has been marked as Low severity for CodeReady Studio 12. [1] https://github.com/jenkinsci/jep/blob/master/jep/200/README.adoc [2] https://github.com/jenkinsci/jep/blob/master/jep/228/README.adoc#security
Меры по смягчению последствий
Depending on the version of XStream used there are various usage patterns that mitigate this flaw, though we would strongly recommend using the allow list approach if at all possible as there are likely more class combinations the deny list approach may not address. Allow list approach
Deny list for XStream 1.4.16 (this should also address some previous flaws found in 1.4.7 - > 1.4.15)
Deny list for XStream 1.4.15
Deny list for XStream 1.4.13
Deny list for XStream 1.4.7 -> 1.4.12
Deny list for versions prior to XStream 1.4.7
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat BPM Suite 6 | xstream | Will not fix | ||
| Red Hat CodeReady Studio 12 | xstream | Affected | ||
| Red Hat JBoss A-MQ 6 | xstream | Out of support scope | ||
| Red Hat JBoss BRMS 5 | xstream | Will not fix | ||
| Red Hat JBoss BRMS 6 | xstream | Will not fix | ||
| Red Hat JBoss Data Grid 7 | xstream | Out of support scope | ||
| Red Hat JBoss Data Virtualization 6 | xstream | Will not fix | ||
| Red Hat JBoss Fuse 6 | xstream | Out of support scope | ||
| Red Hat JBoss Fuse Service Works 6 | xstream | Out of support scope | ||
| Red Hat JBoss SOA Platform 5 | xstream | Will not fix |
Показывать по
Дополнительная информация
Статус:
EPSS
7.5 High
CVSS3
Связанные уязвимости
XStream is software for serializing Java objects to XML and back again. A vulnerability in XStream versions prior to 1.4.17 may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types is affected. The vulnerability is patched in version 1.4.17.
XStream is software for serializing Java objects to XML and back again. A vulnerability in XStream versions prior to 1.4.17 may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types is affected. The vulnerability is patched in version 1.4.17.
XStream is software for serializing Java objects to XML and back again ...
EPSS
7.5 High
CVSS3