XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. A user is only affected if using the version out of the box with JDK 1.7u21 or below. However, this scenario can be adjusted easily to an external Xalan that works regardless of the version of the Java runtime. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose. References: https://github.com/x-stream/xstream/security/advisories/GHSA-64xx-cq4q-mf44 https://x-stream.github.io/CVE-2021-39139.html
Created xstream tracking bugs for this issue: Affects: fedora-all [bug 1997764]
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2021:3956 https://access.redhat.com/errata/RHSA-2021:3956
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-39139
This issue has been addressed in the following products: Red Hat Integration Via RHSA-2021:4767 https://access.redhat.com/errata/RHSA-2021:4767
This issue has been addressed in the following products: Red Hat Integration Via RHSA-2021:4918 https://access.redhat.com/errata/RHSA-2021:4918
This issue has been addressed in the following products: RHPAM 7.12.0 Via RHSA-2022:0296 https://access.redhat.com/errata/RHSA-2022:0296
This issue has been addressed in the following products: RHDM 7.12.0 Via RHSA-2022:0297 https://access.redhat.com/errata/RHSA-2022:0297
This issue has been addressed in the following products: Red Hat Data Grid 8.3.0 Via RHSA-2022:0520 https://access.redhat.com/errata/RHSA-2022:0520