Bug 1051277 (CVE-2013-7285)

Summary: CVE-2013-7285 XStream: remote code execution due to insecure XML deserialization
Product: [Other] Security Response Reporter: David Jorm <djorm>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: chazlett, grocha, jcoleman, kconner, mizdebsk, mjc, msrb, security-response-team, soa-p-jira, tcunning, weli
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
It was found that XStream could deserialize arbitrary user-supplied XML content, representing objects of any type. A remote attacker able to pass XML to XStream could use this flaw to perform a variety of attacks, including remote code execution in the context of the server running the XStream application.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2018-11-16 20:25:17 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1063566, 1063567, 1063568, 1063569, 1063570, 1063571, 1063572, 1063573, 1063574, 1063575, 1063602, 1063603, 1063604, 1063605, 1063625, 1124701    
Bug Blocks: 1051281, 1058944, 1062718, 1072116, 1073684, 1082921, 1082938, 1110978, 1125720, 1244362    

Description David Jorm 2014-01-10 00:32:17 UTC 
It was found that XStream would deserialize arbitrary user-supplied XML content, representing objects of any type. A remote attacker able to pass XML to XStream could use this flaw to perform a variety of attacks, including remote code execution in the context of the server running the XStream application.
Comment 1 David Jorm 2014-01-10 00:41:06 UTC 
Upstream mailing list discussion:

http://markmail.org/message/kfqoqdfj5fnup5co?q=list:org.codehaus.xstream.dev

Upstream patch commit:

https://fisheye.codehaus.org/changelog/xstream?cs=2210

External References:

http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html
https://securityblog.redhat.com/2014/01/23/java-deserialization-flaws-part-2-xml-deserialization/
http://xstream.codehaus.org/security.html
Comment 6 David Jorm 2014-02-11 07:08:44 UTC 
Created xstream tracking bugs for this issue:

Affects: fedora-all [bug 1063625]
Comment 8 Fedora Update System 2014-02-22 00:46:55 UTC 
xstream-1.3.1-9.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 9 Fedora Update System 2014-02-22 00:56:11 UTC 
xstream-1.3.1-5.1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 errata-xmlrpc 2014-02-26 20:32:31 UTC 
This issue has been addressed in following products:

  Red Hat JBoss Fuse Service Works 6.0.0

Via RHSA-2014:0216 https://rhn.redhat.com/errata/RHSA-2014-0216.html
Comment 11 errata-xmlrpc 2014-03-13 19:22:13 UTC 
This issue has been addressed in following products:

  Red Hat JBoss Data Virtualization 6.0.0

Via RHSA-2014:0294 https://rhn.redhat.com/errata/RHSA-2014-0294.html
Comment 12 errata-xmlrpc 2014-03-24 18:05:47 UTC 
This issue has been addressed in following products:

  Red Hat JBoss Fuse and A-MQ 6.0.0 R1 P3

Via RHSA-2014:0323 https://rhn.redhat.com/errata/RHSA-2014-0323.html
Comment 14 errata-xmlrpc 2014-04-03 21:23:21 UTC 
This issue has been addressed in following products:

  Red Hat JBoss BPM Suite 6.0.1

Via RHSA-2014:0371 https://rhn.redhat.com/errata/RHSA-2014-0371.html
Comment 15 errata-xmlrpc 2014-04-03 21:31:15 UTC 
This issue has been addressed in following products:

  Red Hat JBoss BRMS 6.0.1

Via RHSA-2014:0372 https://rhn.redhat.com/errata/RHSA-2014-0372.html
Comment 16 errata-xmlrpc 2014-04-03 22:01:56 UTC 
This issue has been addressed in following products:

  Red Hat JBoss Data Grid 6.2.1

Via RHSA-2014:0374 https://rhn.redhat.com/errata/RHSA-2014-0374.html
Comment 17 errata-xmlrpc 2014-04-09 18:02:43 UTC 
This issue has been addressed in following products:

  RHEV Manager version 3.3

Via RHSA-2014:0389 https://rhn.redhat.com/errata/RHSA-2014-0389.html
Comment 19 errata-xmlrpc 2014-04-30 18:51:15 UTC 
This issue has been addressed in following products:

  Fuse ESB Enterprise/MQ Enterprise 7.1.0 R1 P3

Via RHSA-2014:0452 https://rhn.redhat.com/errata/RHSA-2014-0452.html
Comment 21 errata-xmlrpc 2014-08-05 14:10:35 UTC 
This issue has been addressed in following products:

  Red Hat JBoss BRMS 5.3.1

Via RHSA-2014:1007 https://rhn.redhat.com/errata/RHSA-2014-1007.html
Comment 23 Martin Prpič 2014-08-07 11:09:18 UTC 
IssueDescription:

It was found that XStream could deserialize arbitrary user-supplied XML content, representing objects of any type. A remote attacker able to pass XML to XStream could use this flaw to perform a variety of attacks, including remote code execution in the context of the server running the XStream application.
Comment 24 errata-xmlrpc 2014-08-14 15:51:28 UTC 
This issue has been addressed in following products:

  JBoss Enterprise Portal Platform 5.2.2

Via RHSA-2014:1059 https://rhn.redhat.com/errata/RHSA-2014-1059.html
Comment 26 errata-xmlrpc 2015-05-14 15:15:15 UTC 
This issue has been addressed in the following products:

  JBoss Portal 6.2.0

Via RHSA-2015:1009 https://rhn.redhat.com/errata/RHSA-2015-1009.html
Comment 27 errata-xmlrpc 2015-10-12 15:27:44 UTC 
This issue has been addressed in the following products:



Via RHSA-2015:1888 https://rhn.redhat.com/errata/RHSA-2015-1888.html
Comment 28 msiddiqu 2019-12-19 11:13:13 UTC 
Reference:

https://issues.redhat.com/browse/KEYCLOAK-12571