The vulnerability may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. Reference: https://github.com/x-stream/xstream/security/advisories/GHSA-7chv-rrw6-w6fc
Created xstream tracking bugs for this issue: Affects: fedora-all [bug 1966736]
Marking Red Hat JBoss Fuse 6, Red Hat Fuse 7 and Red Hat Intergration Camel K as Moderate, although these products use vulnerable versions of XStream through the camel-xstream component https://access.redhat.com/documentation/en-us/red_hat_jboss_fuse/6.3/html/apache_camel_component_reference/idu-xstream Camel provides an extended default deny list with `org.apache.camel.xstream.permissions`, the default being `-,java.lang.,java.util.`, for this reason the attack complexity is significantly increased as this deny list is out of the attackers control. Users overriding the org.apache.camel.xstream.permissions for unmarshalling of XML should ensure all classes are denied by default eg. `-*,com.misc.mypacakge.myclass`.
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2021:2683 https://access.redhat.com/errata/RHSA-2021:2683
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-29505
This issue has been addressed in the following products: Red Hat Integration Via RHSA-2021:4767 https://access.redhat.com/errata/RHSA-2021:4767
This issue has been addressed in the following products: Red Hat Integration Via RHSA-2021:4918 https://access.redhat.com/errata/RHSA-2021:4918
This issue has been addressed in the following products: RHPAM 7.12.0 Via RHSA-2022:0296 https://access.redhat.com/errata/RHSA-2022:0296
This issue has been addressed in the following products: RHDM 7.12.0 Via RHSA-2022:0297 https://access.redhat.com/errata/RHSA-2022:0297
This issue has been addressed in the following products: Red Hat Data Grid 8.3.0 Via RHSA-2022:0520 https://access.redhat.com/errata/RHSA-2022:0520
This issue has been addressed in the following products: Red Hat Fuse 7.11 Via RHSA-2022:5532 https://access.redhat.com/errata/RHSA-2022:5532