Bug 1051277 - (CVE-2013-7285) CVE-2013-7285 XStream: remote code execution due to insecure XML deserialization
CVE-2013-7285 XStream: remote code execution due to insecure XML deserialization
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
impact=important,public=20131222,repo...
: Security
Depends On: 1063566 1063567 1063568 1063569 1063570 1063571 1063572 1063573 1063574 1063575 1063602 1063603 1063604 1063605 1063625 1124701
Blocks: 1051281 1058944 1062718 1072116 1073684 1082921 1082938 1110978 1125720 1244362
  Show dependency treegraph
 
Reported: 2014-01-09 19:32 EST by David Jorm
Modified: 2015-10-15 14:10 EDT (History)
12 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
It was found that XStream could deserialize arbitrary user-supplied XML content, representing objects of any type. A remote attacker able to pass XML to XStream could use this flaw to perform a variety of attacks, including remote code execution in the context of the server running the XStream application.
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description David Jorm 2014-01-09 19:32:17 EST
It was found that XStream would deserialize arbitrary user-supplied XML content, representing objects of any type. A remote attacker able to pass XML to XStream could use this flaw to perform a variety of attacks, including remote code execution in the context of the server running the XStream application.
Comment 6 David Jorm 2014-02-11 02:08:44 EST
Created xstream tracking bugs for this issue:

Affects: fedora-all [bug 1063625]
Comment 8 Fedora Update System 2014-02-21 19:46:55 EST
xstream-1.3.1-9.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 9 Fedora Update System 2014-02-21 19:56:11 EST
xstream-1.3.1-5.1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 errata-xmlrpc 2014-02-26 15:32:31 EST
This issue has been addressed in following products:

  Red Hat JBoss Fuse Service Works 6.0.0

Via RHSA-2014:0216 https://rhn.redhat.com/errata/RHSA-2014-0216.html
Comment 11 errata-xmlrpc 2014-03-13 15:22:13 EDT
This issue has been addressed in following products:

  Red Hat JBoss Data Virtualization 6.0.0

Via RHSA-2014:0294 https://rhn.redhat.com/errata/RHSA-2014-0294.html
Comment 12 errata-xmlrpc 2014-03-24 14:05:47 EDT
This issue has been addressed in following products:

  Red Hat JBoss Fuse and A-MQ 6.0.0 R1 P3

Via RHSA-2014:0323 https://rhn.redhat.com/errata/RHSA-2014-0323.html
Comment 14 errata-xmlrpc 2014-04-03 17:23:21 EDT
This issue has been addressed in following products:

  Red Hat JBoss BPM Suite 6.0.1

Via RHSA-2014:0371 https://rhn.redhat.com/errata/RHSA-2014-0371.html
Comment 15 errata-xmlrpc 2014-04-03 17:31:15 EDT
This issue has been addressed in following products:

  Red Hat JBoss BRMS 6.0.1

Via RHSA-2014:0372 https://rhn.redhat.com/errata/RHSA-2014-0372.html
Comment 16 errata-xmlrpc 2014-04-03 18:01:56 EDT
This issue has been addressed in following products:

  Red Hat JBoss Data Grid 6.2.1

Via RHSA-2014:0374 https://rhn.redhat.com/errata/RHSA-2014-0374.html
Comment 17 errata-xmlrpc 2014-04-09 14:02:43 EDT
This issue has been addressed in following products:

  RHEV Manager version 3.3

Via RHSA-2014:0389 https://rhn.redhat.com/errata/RHSA-2014-0389.html
Comment 19 errata-xmlrpc 2014-04-30 14:51:15 EDT
This issue has been addressed in following products:

  Fuse ESB Enterprise/MQ Enterprise 7.1.0 R1 P3

Via RHSA-2014:0452 https://rhn.redhat.com/errata/RHSA-2014-0452.html
Comment 21 errata-xmlrpc 2014-08-05 10:10:35 EDT
This issue has been addressed in following products:

  Red Hat JBoss BRMS 5.3.1

Via RHSA-2014:1007 https://rhn.redhat.com/errata/RHSA-2014-1007.html
Comment 23 Martin Prpic 2014-08-07 07:09:18 EDT
IssueDescription:

It was found that XStream could deserialize arbitrary user-supplied XML content, representing objects of any type. A remote attacker able to pass XML to XStream could use this flaw to perform a variety of attacks, including remote code execution in the context of the server running the XStream application.
Comment 24 errata-xmlrpc 2014-08-14 11:51:28 EDT
This issue has been addressed in following products:

  JBoss Enterprise Portal Platform 5.2.2

Via RHSA-2014:1059 https://rhn.redhat.com/errata/RHSA-2014-1059.html
Comment 26 errata-xmlrpc 2015-05-14 11:15:15 EDT
This issue has been addressed in the following products:

  JBoss Portal 6.2.0

Via RHSA-2015:1009 https://rhn.redhat.com/errata/RHSA-2015-1009.html
Comment 27 errata-xmlrpc 2015-10-12 11:27:44 EDT
This issue has been addressed in the following products:



Via RHSA-2015:1888 https://rhn.redhat.com/errata/RHSA-2015-1888.html

Note You need to log in before you can comment on or make changes to this bug.