1997772 – (CVE-2021-39144) CVE-2021-39144 xstream: Arbitrary code execution via unsafe deserialization of sun.tracing.*

Bug 1997772 (CVE-2021-39144) - CVE-2021-39144 xstream: Arbitrary code execution via unsafe deserialization of sun.tracing.*

Summary: CVE-2021-39144 xstream: Arbitrary code execution via unsafe deserialization o...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2021-39144
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1997773 1998633
Blocks:	1997804
TreeView+	depends on / blocked

Reported:	2021-08-25 19:02 UTC by Guilherme de Almeida Suckevicz
Modified:	2023-06-27 18:53 UTC (History)
CC List:	105 users (show)
Fixed In Version:	xstream 1.4.18
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in xstream, a simple library used to serialize objects to XML and back again. This flaw allows a remote attacker to load and execute arbitrary code from a remote host by manipulating the processed input stream.
Clone Of:
Environment:
Last Closed:	2021-10-25 14:08:25 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2021:3956	None	None	None	2021-10-25 06:50:54 UTC
Red Hat Product Errata	RHSA-2021:4767	None	None	None	2021-11-23 10:36:04 UTC
Red Hat Product Errata	RHSA-2021:4918	None	None	None	2021-12-02 16:18:35 UTC
Red Hat Product Errata	RHSA-2022:0296	None	None	None	2022-01-26 15:53:35 UTC
Red Hat Product Errata	RHSA-2022:0297	None	None	None	2022-01-26 16:57:39 UTC
Red Hat Product Errata	RHSA-2022:0520	None	None	None	2022-02-14 13:07:16 UTC
Red Hat Product Errata	RHSA-2023:1303	None	None	None	2023-03-17 16:41:09 UTC
Red Hat Product Errata	RHSA-2023:3892	None	None	None	2023-06-27 18:53:52 UTC

Description Guilherme de Almeida Suckevicz 2021-08-25 19:02:27 UTC

XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.

References:
https://github.com/x-stream/xstream/security/advisories/GHSA-j9h8-phrw-h4fh
https://x-stream.github.io/CVE-2021-39144.html

Comment 1 Guilherme de Almeida Suckevicz 2021-08-25 19:03:23 UTC

Created xstream tracking bugs for this issue:

Affects: fedora-all [bug 1997773]

Comment 10 errata-xmlrpc 2021-10-25 06:50:51 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2021:3956 https://access.redhat.com/errata/RHSA-2021:3956

Comment 11 Product Security DevOps Team 2021-10-25 14:08:25 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-39144

Comment 12 errata-xmlrpc 2021-11-23 10:36:01 UTC

This issue has been addressed in the following products:

  Red Hat Integration

Via RHSA-2021:4767 https://access.redhat.com/errata/RHSA-2021:4767

Comment 13 errata-xmlrpc 2021-12-02 16:18:32 UTC

This issue has been addressed in the following products:

  Red Hat Integration

Via RHSA-2021:4918 https://access.redhat.com/errata/RHSA-2021:4918

Comment 14 errata-xmlrpc 2022-01-26 15:53:32 UTC

This issue has been addressed in the following products:

  RHPAM 7.12.0

Via RHSA-2022:0296 https://access.redhat.com/errata/RHSA-2022:0296

Comment 15 errata-xmlrpc 2022-01-26 16:57:35 UTC

This issue has been addressed in the following products:

  RHDM 7.12.0

Via RHSA-2022:0297 https://access.redhat.com/errata/RHSA-2022:0297

Comment 16 errata-xmlrpc 2022-02-14 13:07:13 UTC

This issue has been addressed in the following products:

  Red Hat Data Grid 8.3.0

Via RHSA-2022:0520 https://access.redhat.com/errata/RHSA-2022:0520

Comment 27 errata-xmlrpc 2023-03-17 16:41:06 UTC

This issue has been addressed in the following products:

  Red Hat Data Grid 7.3.10

Via RHSA-2023:1303 https://access.redhat.com/errata/RHSA-2023:1303

Comment 29 errata-xmlrpc 2023-06-27 18:53:47 UTC

This issue has been addressed in the following products:

  Red Hat Single Sign-On

Via RHSA-2023:3892 https://access.redhat.com/errata/RHSA-2023:3892

Note You need to log in before you can comment on or make changes to this bug.

abenaiss
aileenc
akoufoud
alazarot
almorale
anstephe
aos-bugs
asoldano
ataylor
avibelli
bbaranow
bgeorges
bibryam
bmaxwell
bmontgom
boliveir
brian.stansberry
cdewolf
chazlett
clement.escoffier
dandread
darran.lofthouse
dkreling
dosoudil
drieden
ellin
eparis
eric.wittmann
etirelli
extras-orphan
fedoraproject.org
fjuma
ggaughan
gmalinko
gsmet
gvarsami
hamadhan
hbraun
ibek
ivassile
iweiss
janstey
java-sig-commits
jburrell
jcantril
jcoleman
jmartisk
jnethert
jochrist
jokerman
jolee
jpavlik
jpechane
jpoth
jrokos
jross
jschatte
jstastny
jwon
krathod
kverlaen
ldimaggi
lgao
lkundrak
lthon
max.andersen
mizdebsk
mnovotny
mokumar
mosmerov
msochure
msvehla
nstielau
nwallace
pantinor
pbhattac
pdelbell
pdrozd
peholase
periklis
pgallagh
pjindal
pmackay
probinso
pskopek
rjohnson
rkieley
rrajasek
rruss
rstancel
rsvoboda
rwagner
sbiarozk
scorneli
sdouglas
shbose
smaestri
sponnaga
sthorger
tcunning
tkirby
tom.jenkinson
tzimanyi
yfang
ymittal