Bug 1051277 (CVE-2013-7285) - CVE-2013-7285 XStream: remote code execution due to insecure XML deserialization
Summary: CVE-2013-7285 XStream: remote code execution due to insecure XML deserialization
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2013-7285
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1063566 1063567 1063568 1063569 1063570 1063571 1063572 1063573 1063574 1063575 1063602 1063603 1063604 1063605 1063625 1124701
Blocks: 1051281 1058944 1062718 1072116 1073684 1082921 1082938 1110978 1125720 1244362
TreeView+ depends on / blocked
 
Reported: 2014-01-10 00:32 UTC by David Jorm
Modified: 2019-09-29 13:12 UTC (History)
11 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
It was found that XStream could deserialize arbitrary user-supplied XML content, representing objects of any type. A remote attacker able to pass XML to XStream could use this flaw to perform a variety of attacks, including remote code execution in the context of the server running the XStream application.
Clone Of:
Environment:
Last Closed: 2018-11-16 20:25:17 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2014:0216 normal SHIPPED_LIVE Important: XStream security update 2014-02-27 01:32:19 UTC
Red Hat Product Errata RHSA-2014:0294 normal SHIPPED_LIVE Important: XStream security update 2014-03-13 23:21:28 UTC
Red Hat Product Errata RHSA-2014:0323 normal SHIPPED_LIVE Important: Red Hat JBoss Fuse/A-MQ 6.0.0 security update 2014-03-24 22:05:04 UTC
Red Hat Product Errata RHSA-2014:0371 normal SHIPPED_LIVE Important: Red Hat JBoss BPM Suite 6.0.1 update 2014-04-04 01:19:56 UTC
Red Hat Product Errata RHSA-2014:0372 normal SHIPPED_LIVE Important: Red Hat JBoss BRMS 6.0.1 update 2014-04-04 01:30:03 UTC
Red Hat Product Errata RHSA-2014:0374 normal SHIPPED_LIVE Important: Red Hat JBoss Data Grid 6.2.1 update 2014-04-04 02:01:40 UTC
Red Hat Product Errata RHSA-2014:0389 normal SHIPPED_LIVE Important: jasperreports-server-pro security update 2014-04-09 22:02:28 UTC
Red Hat Product Errata RHSA-2014:0452 normal SHIPPED_LIVE Important: Fuse ESB Enterprise/Fuse MQ Enterprise 7.1.0 update 2014-04-30 22:49:57 UTC
Red Hat Product Errata RHSA-2014:1007 normal SHIPPED_LIVE Important: Red Hat JBoss BRMS 5.3.1 update 2014-08-05 18:10:28 UTC
Red Hat Product Errata RHSA-2014:1059 normal SHIPPED_LIVE Important: JBoss Enterprise Portal Platform 5.2.2 security update 2014-08-14 19:47:56 UTC
Red Hat Product Errata RHSA-2015:1009 normal SHIPPED_LIVE Important: Red Hat JBoss Portal 6.2.0 update 2015-05-14 19:14:47 UTC
Red Hat Product Errata RHSA-2015:1888 normal SHIPPED_LIVE Important: Red Hat JBoss SOA Platform 5.3.1 security update 2015-10-12 19:27:33 UTC

Description David Jorm 2014-01-10 00:32:17 UTC
It was found that XStream would deserialize arbitrary user-supplied XML content, representing objects of any type. A remote attacker able to pass XML to XStream could use this flaw to perform a variety of attacks, including remote code execution in the context of the server running the XStream application.

Comment 6 David Jorm 2014-02-11 07:08:44 UTC
Created xstream tracking bugs for this issue:

Affects: fedora-all [bug 1063625]

Comment 8 Fedora Update System 2014-02-22 00:46:55 UTC
xstream-1.3.1-9.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 9 Fedora Update System 2014-02-22 00:56:11 UTC
xstream-1.3.1-5.1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 10 errata-xmlrpc 2014-02-26 20:32:31 UTC
This issue has been addressed in following products:

  Red Hat JBoss Fuse Service Works 6.0.0

Via RHSA-2014:0216 https://rhn.redhat.com/errata/RHSA-2014-0216.html

Comment 11 errata-xmlrpc 2014-03-13 19:22:13 UTC
This issue has been addressed in following products:

  Red Hat JBoss Data Virtualization 6.0.0

Via RHSA-2014:0294 https://rhn.redhat.com/errata/RHSA-2014-0294.html

Comment 12 errata-xmlrpc 2014-03-24 18:05:47 UTC
This issue has been addressed in following products:

  Red Hat JBoss Fuse and A-MQ 6.0.0 R1 P3

Via RHSA-2014:0323 https://rhn.redhat.com/errata/RHSA-2014-0323.html

Comment 14 errata-xmlrpc 2014-04-03 21:23:21 UTC
This issue has been addressed in following products:

  Red Hat JBoss BPM Suite 6.0.1

Via RHSA-2014:0371 https://rhn.redhat.com/errata/RHSA-2014-0371.html

Comment 15 errata-xmlrpc 2014-04-03 21:31:15 UTC
This issue has been addressed in following products:

  Red Hat JBoss BRMS 6.0.1

Via RHSA-2014:0372 https://rhn.redhat.com/errata/RHSA-2014-0372.html

Comment 16 errata-xmlrpc 2014-04-03 22:01:56 UTC
This issue has been addressed in following products:

  Red Hat JBoss Data Grid 6.2.1

Via RHSA-2014:0374 https://rhn.redhat.com/errata/RHSA-2014-0374.html

Comment 17 errata-xmlrpc 2014-04-09 18:02:43 UTC
This issue has been addressed in following products:

  RHEV Manager version 3.3

Via RHSA-2014:0389 https://rhn.redhat.com/errata/RHSA-2014-0389.html

Comment 19 errata-xmlrpc 2014-04-30 18:51:15 UTC
This issue has been addressed in following products:

  Fuse ESB Enterprise/MQ Enterprise 7.1.0 R1 P3

Via RHSA-2014:0452 https://rhn.redhat.com/errata/RHSA-2014-0452.html

Comment 21 errata-xmlrpc 2014-08-05 14:10:35 UTC
This issue has been addressed in following products:

  Red Hat JBoss BRMS 5.3.1

Via RHSA-2014:1007 https://rhn.redhat.com/errata/RHSA-2014-1007.html

Comment 23 Martin Prpič 2014-08-07 11:09:18 UTC
IssueDescription:

It was found that XStream could deserialize arbitrary user-supplied XML content, representing objects of any type. A remote attacker able to pass XML to XStream could use this flaw to perform a variety of attacks, including remote code execution in the context of the server running the XStream application.

Comment 24 errata-xmlrpc 2014-08-14 15:51:28 UTC
This issue has been addressed in following products:

  JBoss Enterprise Portal Platform 5.2.2

Via RHSA-2014:1059 https://rhn.redhat.com/errata/RHSA-2014-1059.html

Comment 26 errata-xmlrpc 2015-05-14 15:15:15 UTC
This issue has been addressed in the following products:

  JBoss Portal 6.2.0

Via RHSA-2015:1009 https://rhn.redhat.com/errata/RHSA-2015-1009.html

Comment 27 errata-xmlrpc 2015-10-12 15:27:44 UTC
This issue has been addressed in the following products:



Via RHSA-2015:1888 https://rhn.redhat.com/errata/RHSA-2015-1888.html


Note You need to log in before you can comment on or make changes to this bug.