Bug 1997793 (CVE-2021-39152)
| Summary: | CVE-2021-39152 xstream: Server-side request forgery (SSRF) via unsafe deserialization of jdk.nashorn.internal.runtime.Source$URLData | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Guilherme de Almeida Suckevicz <gsuckevi> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | abenaiss, aileenc, akoufoud, alazarot, almorale, anstephe, aos-bugs, ataylor, bibryam, bmontgom, chazlett, drieden, eparis, etirelli, extras-orphan, ggaughan, gmalinko, gvarsami, hbraun, ibek, janstey, java-sig-commits, jburrell, jcoleman, jnethert, jochrist, jokerman, jolee, jrokos, jross, jschatte, jstastny, jwon, krathod, kverlaen, ldimaggi, lkundrak, mizdebsk, mnovotny, nstielau, nwallace, pantinor, pbhattac, pdelbell, pjindal, rrajasek, rwagner, sponnaga, tcunning, tkirby, tzimanyi |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | xstream 1.4.18 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A flaw was found in xstream, a simple library used to serialize objects to XML and back again. This flaw allows a remote attacker to request data from internal resources that are not publicly available by manipulating the processed input stream with Java runtime versions 14 to 8. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-10-25 14:09:24 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1997794, 1998636 | ||
| Bug Blocks: | 1997804 | ||
|
Description
Guilherme de Almeida Suckevicz
2021-08-25 19:53:45 UTC
Created xstream tracking bugs for this issue: Affects: fedora-all [bug 1997794] This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2021:3956 https://access.redhat.com/errata/RHSA-2021:3956 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-39152 This issue has been addressed in the following products: Red Hat Integration Via RHSA-2021:4767 https://access.redhat.com/errata/RHSA-2021:4767 This issue has been addressed in the following products: Red Hat Integration Via RHSA-2021:4918 https://access.redhat.com/errata/RHSA-2021:4918 This issue has been addressed in the following products: RHPAM 7.12.0 Via RHSA-2022:0296 https://access.redhat.com/errata/RHSA-2022:0296 This issue has been addressed in the following products: RHDM 7.12.0 Via RHSA-2022:0297 https://access.redhat.com/errata/RHSA-2022:0297 This issue has been addressed in the following products: Red Hat Data Grid 8.3.0 Via RHSA-2022:0520 https://access.redhat.com/errata/RHSA-2022:0520 |