RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Description of problem:
The current CentOS 7 version 7.9.2009(Kernel version: 3.10.0-1160.45.1.el7.x86_64) does not seems to have the latest fix in version 1.4.18 for the XStream library. The XStream version available on CentOS 7 is xstream-1.3.1.
This has been reported by Built-in Qualys vulnerability assessment on the Virtual Machine with CentOS 7 version with a CVSS base score( v2.0: 9.3, v3.0: 9.9)

As per the Remediation step, it points to https://x-stream.github.io/security.html which needs latest version i.e. 1.4.18 for the XStream library. Currently it seems that version 1.4.18 is available only for CentOS 8 at https://centos.pkgs.org/8/epel-x86_64/xstream-1.4.18-3.el8.noarch.rpm.html

Can I please request that security fix in 1.4.18 for XStream is available for CentOS 7 as well?

I was advised to create a bug here for RedHat 7 based on the bug in CentOS 7 https://bugs.centos.org/view.php?id=18351

The vulnerability is been reported for the following CVEs:

CVE-2021-39139
CVE-2021-39140
CVE-2021-39141
CVE-2021-39144
CVE-2021-39145
CVE-2021-39146
CVE-2021-39147
CVE-2021-39148
CVE-2021-39149
CVE-2021-39150
CVE-2021-39151
CVE-2021-39152
CVE-2021-39153
CVE-2021-39154
CVE-2021-29505
CVE-2021-21341
CVE-2021-21342
CVE-2021-21343
CVE-2021-21344
CVE-2021-21345
CVE-2021-21346
CVE-2021-21347
CVE-2021-21348
CVE-2021-21349
CVE-2021-21350
CVE-2021-21351
CVE-2020-26258
CVE-2020-26259
CVE-2020-26217
CVE-2017-7957
CVE-2016-3674
CVE-2013-7285

Thank you for taking the time to report this issue to us. We appreciate the feedback and use reports such as this one to guide our efforts at improving our products. That being said, this bug tracking system is not a mechanism for requesting support, and we are not able to guarantee the timeliness or suitability of a resolution.

If this issue is critical or in any way time sensitive, please raise a ticket through the regular Red Hat support channels to ensure it receives the proper attention and prioritization to assure a timely resolution.

For information on how to contact the Red Hat production support team, please visit:
    https://access.redhat.com/support

For information on how to contact the Red Hat Product Security team, please visit:
    https://access.redhat.com/security/team/contact

RHEL 7 is already in Maintenance Support 2 phase, which means that only Critical impact Security Advisories and selected Urgent Priority Bug Fix Advisories may be addressed. Please see https://access.redhat.com/support/policy/updates/errata#Maintenance_Support_2_Phase for further information.

Since this bug does not meet the criteria, we'll close it as WONTFIX. If this is a critical issue for you, feel free to reach to Product Security or Production Support, as explained in comment #3 above.