Hide Forgot
It was found that XStream would deserialize arbitrary user-supplied XML content, representing objects of any type. A remote attacker able to pass XML to XStream could use this flaw to perform a variety of attacks, including remote code execution in the context of the server running the XStream application.
Upstream mailing list discussion: http://markmail.org/message/kfqoqdfj5fnup5co?q=list:org.codehaus.xstream.dev Upstream patch commit: https://fisheye.codehaus.org/changelog/xstream?cs=2210 External References: http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html https://securityblog.redhat.com/2014/01/23/java-deserialization-flaws-part-2-xml-deserialization/ http://xstream.codehaus.org/security.html
Created xstream tracking bugs for this issue: Affects: fedora-all [bug 1063625]
xstream-1.3.1-9.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
xstream-1.3.1-5.1.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in following products: Red Hat JBoss Fuse Service Works 6.0.0 Via RHSA-2014:0216 https://rhn.redhat.com/errata/RHSA-2014-0216.html
This issue has been addressed in following products: Red Hat JBoss Data Virtualization 6.0.0 Via RHSA-2014:0294 https://rhn.redhat.com/errata/RHSA-2014-0294.html
This issue has been addressed in following products: Red Hat JBoss Fuse and A-MQ 6.0.0 R1 P3 Via RHSA-2014:0323 https://rhn.redhat.com/errata/RHSA-2014-0323.html
This issue has been addressed in following products: Red Hat JBoss BPM Suite 6.0.1 Via RHSA-2014:0371 https://rhn.redhat.com/errata/RHSA-2014-0371.html
This issue has been addressed in following products: Red Hat JBoss BRMS 6.0.1 Via RHSA-2014:0372 https://rhn.redhat.com/errata/RHSA-2014-0372.html
This issue has been addressed in following products: Red Hat JBoss Data Grid 6.2.1 Via RHSA-2014:0374 https://rhn.redhat.com/errata/RHSA-2014-0374.html
This issue has been addressed in following products: RHEV Manager version 3.3 Via RHSA-2014:0389 https://rhn.redhat.com/errata/RHSA-2014-0389.html
This issue has been addressed in following products: Fuse ESB Enterprise/MQ Enterprise 7.1.0 R1 P3 Via RHSA-2014:0452 https://rhn.redhat.com/errata/RHSA-2014-0452.html
This issue has been addressed in following products: Red Hat JBoss BRMS 5.3.1 Via RHSA-2014:1007 https://rhn.redhat.com/errata/RHSA-2014-1007.html
IssueDescription: It was found that XStream could deserialize arbitrary user-supplied XML content, representing objects of any type. A remote attacker able to pass XML to XStream could use this flaw to perform a variety of attacks, including remote code execution in the context of the server running the XStream application.
This issue has been addressed in following products: JBoss Enterprise Portal Platform 5.2.2 Via RHSA-2014:1059 https://rhn.redhat.com/errata/RHSA-2014-1059.html
This issue has been addressed in the following products: JBoss Portal 6.2.0 Via RHSA-2015:1009 https://rhn.redhat.com/errata/RHSA-2015-1009.html
This issue has been addressed in the following products: Via RHSA-2015:1888 https://rhn.redhat.com/errata/RHSA-2015-1888.html
Reference: https://issues.redhat.com/browse/KEYCLOAK-12571