Bug 1997763 (CVE-2021-39139) - CVE-2021-39139 xstream: Arbitrary code execution via unsafe deserialization of Xalan xsltc.trax.TemplatesImpl
Summary: CVE-2021-39139 xstream: Arbitrary code execution via unsafe deserialization o...
Keywords:
Status: NEW
Alias: CVE-2021-39139
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1998630 1997764
Blocks: 1997804
TreeView+ depends on / blocked
 
Reported: 2021-08-25 18:53 UTC by Guilherme de Almeida Suckevicz
Modified: 2021-10-20 21:07 UTC (History)
52 users (show)

Fixed In Version: xstream 1.4.18
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in xstream, a simple library used to serialize objects to XML and back again. This flaw allows a remote attacker to load and execute arbitrary code from a remote host by manipulating the processed input stream. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description Guilherme de Almeida Suckevicz 2021-08-25 18:53:05 UTC
XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. A user is only affected if using the version out of the box with JDK 1.7u21 or below. However, this scenario can be adjusted easily to an external Xalan that works regardless of the version of the Java runtime. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.

References:
https://github.com/x-stream/xstream/security/advisories/GHSA-64xx-cq4q-mf44
https://x-stream.github.io/CVE-2021-39139.html

Comment 1 Guilherme de Almeida Suckevicz 2021-08-25 18:53:30 UTC
Created xstream tracking bugs for this issue:

Affects: fedora-all [bug 1997764]


Note You need to log in before you can comment on or make changes to this bug.