XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose. References: https://github.com/x-stream/xstream/security/advisories/GHSA-j9h8-phrw-h4fh https://x-stream.github.io/CVE-2021-39144.html
Created xstream tracking bugs for this issue: Affects: fedora-all [bug 1997773]
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2021:3956 https://access.redhat.com/errata/RHSA-2021:3956
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-39144
This issue has been addressed in the following products: Red Hat Integration Via RHSA-2021:4767 https://access.redhat.com/errata/RHSA-2021:4767
This issue has been addressed in the following products: Red Hat Integration Via RHSA-2021:4918 https://access.redhat.com/errata/RHSA-2021:4918
This issue has been addressed in the following products: RHPAM 7.12.0 Via RHSA-2022:0296 https://access.redhat.com/errata/RHSA-2022:0296
This issue has been addressed in the following products: RHDM 7.12.0 Via RHSA-2022:0297 https://access.redhat.com/errata/RHSA-2022:0297
This issue has been addressed in the following products: Red Hat Data Grid 8.3.0 Via RHSA-2022:0520 https://access.redhat.com/errata/RHSA-2022:0520
This issue has been addressed in the following products: Red Hat Data Grid 7.3.10 Via RHSA-2023:1303 https://access.redhat.com/errata/RHSA-2023:1303
This issue has been addressed in the following products: Red Hat Single Sign-On Via RHSA-2023:3892 https://access.redhat.com/errata/RHSA-2023:3892