Bug 1966735 (CVE-2021-29505) - CVE-2021-29505 XStream: remote command execution attack by manipulating the processed input stream
Summary: CVE-2021-29505 XStream: remote command execution attack by manipulating the p...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-29505
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1966736 1968597
Blocks: 1966737
TreeView+ depends on / blocked
 
Reported: 2021-06-01 18:45 UTC by Guilherme de Almeida Suckevicz
Modified: 2022-07-07 14:20 UTC (History)
53 users (show)

Fixed In Version: xstream 1.4.17
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in XStream. By manipulating the processed input stream, a remote attacker may be able to obtain sufficient rights to execute commands. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Clone Of:
Environment:
Last Closed: 2021-07-12 10:40:22 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:2683 0 None None None 2021-07-12 08:03:54 UTC
Red Hat Product Errata RHSA-2021:4767 0 None None None 2021-11-23 10:35:40 UTC
Red Hat Product Errata RHSA-2021:4918 0 None None None 2021-12-02 16:18:20 UTC
Red Hat Product Errata RHSA-2022:0296 0 None None None 2022-01-26 15:53:16 UTC
Red Hat Product Errata RHSA-2022:0297 0 None None None 2022-01-26 16:57:11 UTC
Red Hat Product Errata RHSA-2022:0520 0 None None None 2022-02-14 13:06:38 UTC
Red Hat Product Errata RHSA-2022:5532 0 None None None 2022-07-07 14:20:24 UTC

Description Guilherme de Almeida Suckevicz 2021-06-01 18:45:06 UTC
The vulnerability may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types.

Reference:
https://github.com/x-stream/xstream/security/advisories/GHSA-7chv-rrw6-w6fc

Comment 1 Guilherme de Almeida Suckevicz 2021-06-01 18:45:31 UTC
Created xstream tracking bugs for this issue:

Affects: fedora-all [bug 1966736]

Comment 9 Jonathan Christison 2021-06-07 11:18:30 UTC
Marking Red Hat JBoss Fuse 6, Red Hat Fuse 7 and Red Hat Intergration Camel K as Moderate, although these products use vulnerable versions of XStream through the camel-xstream component https://access.redhat.com/documentation/en-us/red_hat_jboss_fuse/6.3/html/apache_camel_component_reference/idu-xstream Camel provides an extended default deny list with `org.apache.camel.xstream.permissions`, the default being `-,java.lang.,java.util.`, for this reason the attack complexity is significantly increased as this deny list is out of the attackers control.

Users overriding the org.apache.camel.xstream.permissions for unmarshalling of XML should ensure all classes are denied by default eg. `-*,com.misc.mypacakge.myclass`.

Comment 20 errata-xmlrpc 2021-07-12 08:03:50 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2021:2683 https://access.redhat.com/errata/RHSA-2021:2683

Comment 21 Product Security DevOps Team 2021-07-12 10:40:22 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-29505

Comment 22 errata-xmlrpc 2021-11-23 10:35:37 UTC
This issue has been addressed in the following products:

  Red Hat Integration

Via RHSA-2021:4767 https://access.redhat.com/errata/RHSA-2021:4767

Comment 23 errata-xmlrpc 2021-12-02 16:18:18 UTC
This issue has been addressed in the following products:

  Red Hat Integration

Via RHSA-2021:4918 https://access.redhat.com/errata/RHSA-2021:4918

Comment 24 errata-xmlrpc 2022-01-26 15:53:11 UTC
This issue has been addressed in the following products:

  RHPAM 7.12.0

Via RHSA-2022:0296 https://access.redhat.com/errata/RHSA-2022:0296

Comment 25 errata-xmlrpc 2022-01-26 16:57:08 UTC
This issue has been addressed in the following products:

  RHDM 7.12.0

Via RHSA-2022:0297 https://access.redhat.com/errata/RHSA-2022:0297

Comment 26 errata-xmlrpc 2022-02-14 13:06:34 UTC
This issue has been addressed in the following products:

  Red Hat Data Grid 8.3.0

Via RHSA-2022:0520 https://access.redhat.com/errata/RHSA-2022:0520

Comment 27 errata-xmlrpc 2022-07-07 14:20:21 UTC
This issue has been addressed in the following products:

  Red Hat Fuse 7.11

Via RHSA-2022:5532 https://access.redhat.com/errata/RHSA-2022:5532


Note You need to log in before you can comment on or make changes to this bug.