Bug 1966735 (CVE-2021-29505)
| Summary: | CVE-2021-29505 XStream: remote command execution attack by manipulating the processed input stream | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Guilherme de Almeida Suckevicz <gsuckevi> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | abenaiss, aileenc, akoufoud, alazarot, almorale, anstephe, aos-bugs, ataylor, bibryam, bmontgom, chazlett, dchen, drieden, eparis, etirelli, ggaughan, gmalinko, gvarsami, hbraun, ibek, janstey, java-sig-commits, jburrell, jcoleman, jnethert, jochrist, jokerman, jolee, jrokos, jross, jschatte, jstastny, jwon, kconner, krathod, kverlaen, ldimaggi, lkundrak, mizdebsk, mkyral, mnovotny, nstielau, nwallace, pantinor, pbhattac, pjindal, rrajasek, rwagner, sponnaga, tcunning, tkirby, tzimanyi, vbobade |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | xstream 1.4.17 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A flaw was found in XStream. By manipulating the processed input stream, a remote attacker may be able to obtain sufficient rights to execute commands. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-07-12 10:40:22 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1966736, 1968597 | ||
| Bug Blocks: | 1966737 | ||
|
Description
Guilherme de Almeida Suckevicz
2021-06-01 18:45:06 UTC
Created xstream tracking bugs for this issue: Affects: fedora-all [bug 1966736] Marking Red Hat JBoss Fuse 6, Red Hat Fuse 7 and Red Hat Intergration Camel K as Moderate, although these products use vulnerable versions of XStream through the camel-xstream component https://access.redhat.com/documentation/en-us/red_hat_jboss_fuse/6.3/html/apache_camel_component_reference/idu-xstream Camel provides an extended default deny list with `org.apache.camel.xstream.permissions`, the default being `-,java.lang.,java.util.`, for this reason the attack complexity is significantly increased as this deny list is out of the attackers control. Users overriding the org.apache.camel.xstream.permissions for unmarshalling of XML should ensure all classes are denied by default eg. `-*,com.misc.mypacakge.myclass`. This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2021:2683 https://access.redhat.com/errata/RHSA-2021:2683 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-29505 This issue has been addressed in the following products: Red Hat Integration Via RHSA-2021:4767 https://access.redhat.com/errata/RHSA-2021:4767 This issue has been addressed in the following products: Red Hat Integration Via RHSA-2021:4918 https://access.redhat.com/errata/RHSA-2021:4918 This issue has been addressed in the following products: RHPAM 7.12.0 Via RHSA-2022:0296 https://access.redhat.com/errata/RHSA-2022:0296 This issue has been addressed in the following products: RHDM 7.12.0 Via RHSA-2022:0297 https://access.redhat.com/errata/RHSA-2022:0297 This issue has been addressed in the following products: Red Hat Data Grid 8.3.0 Via RHSA-2022:0520 https://access.redhat.com/errata/RHSA-2022:0520 This issue has been addressed in the following products: Red Hat Fuse 7.11 Via RHSA-2022:5532 https://access.redhat.com/errata/RHSA-2022:5532 |