Bug 2023445 - XStream Arbitrary Code Execution And Multiple vulnerabilities
Summary: XStream Arbitrary Code Execution And Multiple vulnerabilities
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: xstream
Version: 7.9
Hardware: x86_64
OS: Linux
unspecified
urgent
Target Milestone: rc
: ---
Assignee: Mikolaj Izdebski
QA Contact: RHEL CS Apps Subsystem QE
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-11-15 17:57 UTC by Makarand Jadhav
Modified: 2022-01-04 09:34 UTC (History)
0 users

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2022-01-04 09:34:09 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker RHELPLAN-102833 0 None None None 2021-11-15 18:03:38 UTC

Description Makarand Jadhav 2021-11-15 17:57:50 UTC
Description of problem:
The current CentOS 7 version 7.9.2009(Kernel version: 3.10.0-1160.45.1.el7.x86_64) does not seems to have the latest fix in version 1.4.18 for the XStream library. The XStream version available on CentOS 7 is xstream-1.3.1.
This has been reported by Built-in Qualys vulnerability assessment on the Virtual Machine with CentOS 7 version with a CVSS base score( v2.0: 9.3, v3.0: 9.9)

As per the Remediation step, it points to https://x-stream.github.io/security.html which needs latest version i.e. 1.4.18 for the XStream library. Currently it seems that version 1.4.18 is available only for CentOS 8 at https://centos.pkgs.org/8/epel-x86_64/xstream-1.4.18-3.el8.noarch.rpm.html

Can I please request that security fix in 1.4.18 for XStream is available for CentOS 7 as well?

I was advised to create a bug here for RedHat 7 based on the bug in CentOS 7 https://bugs.centos.org/view.php?id=18351

The vulnerability is been reported for the following CVEs:

CVE-2021-39139
CVE-2021-39140
CVE-2021-39141
CVE-2021-39144
CVE-2021-39145
CVE-2021-39146
CVE-2021-39147
CVE-2021-39148
CVE-2021-39149
CVE-2021-39150
CVE-2021-39151
CVE-2021-39152
CVE-2021-39153
CVE-2021-39154
CVE-2021-29505
CVE-2021-21341
CVE-2021-21342
CVE-2021-21343
CVE-2021-21344
CVE-2021-21345
CVE-2021-21346
CVE-2021-21347
CVE-2021-21348
CVE-2021-21349
CVE-2021-21350
CVE-2021-21351
CVE-2020-26258
CVE-2020-26259
CVE-2020-26217
CVE-2017-7957
CVE-2016-3674
CVE-2013-7285

Comment 3 Mikolaj Izdebski 2021-11-15 21:03:18 UTC
Thank you for taking the time to report this issue to us. We appreciate the feedback and use reports such as this one to guide our efforts at improving our products. That being said, this bug tracking system is not a mechanism for requesting support, and we are not able to guarantee the timeliness or suitability of a resolution.

If this issue is critical or in any way time sensitive, please raise a ticket through the regular Red Hat support channels to ensure it receives the proper attention and prioritization to assure a timely resolution.

For information on how to contact the Red Hat production support team, please visit:
    https://access.redhat.com/support

For information on how to contact the Red Hat Product Security team, please visit:
    https://access.redhat.com/security/team/contact

Comment 4 Mikolaj Izdebski 2022-01-04 09:34:09 UTC
RHEL 7 is already in Maintenance Support 2 phase, which means that only Critical impact Security Advisories and selected Urgent Priority Bug Fix Advisories may be addressed. Please see https://access.redhat.com/support/policy/updates/errata#Maintenance_Support_2_Phase for further information.

Since this bug does not meet the criteria, we'll close it as WONTFIX. If this is a critical issue for you, feel free to reach to Product Security or Production Support, as explained in comment #3 above.


Note You need to log in before you can comment on or make changes to this bug.