Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2021-39152 (GCVE-0-2021-39152)
Vulnerability from cvelistv5 – Published: 2021-08-23 18:20 – Updated: 2024-08-04 01:58
VLAI
EPSS
Title
A Server-Side Forgery Request vulnerability in XStream via HashMap unmarshaling
Summary
XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream with a Java runtime version 14 to 8. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the [Security Framework](https://x-stream.github.io/security.html#framework), you will have to use at least version 1.4.18.
Severity
8.5 (High)
Assigner
References
11 references
| URL | Tags |
|---|---|
| https://github.com/x-stream/xstream/security/advi… | x_refsource_CONFIRM |
| https://x-stream.github.io/CVE-2021-39152.html | x_refsource_MISC |
| https://lists.debian.org/debian-lts-announce/2021… | mailing-listx_refsource_MLIST |
| https://lists.fedoraproject.org/archives/list/pac… | vendor-advisoryx_refsource_FEDORA |
| https://lists.fedoraproject.org/archives/list/pac… | vendor-advisoryx_refsource_FEDORA |
| https://lists.fedoraproject.org/archives/list/pac… | vendor-advisoryx_refsource_FEDORA |
| https://www.debian.org/security/2021/dsa-5004 | vendor-advisoryx_refsource_DEBIAN |
| https://www.oracle.com/security-alerts/cpujan2022.html | x_refsource_MISC |
| https://security.netapp.com/advisory/ntap-2021092… | x_refsource_CONFIRM |
| https://www.oracle.com/security-alerts/cpuapr2022.html | x_refsource_MISC |
| https://www.oracle.com/security-alerts/cpujul2022.html | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T01:58:18.220Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/x-stream/xstream/security/advisories/GHSA-xw4p-crpj-vjx2"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://x-stream.github.io/CVE-2021-39152.html"
},
{
"name": "[debian-lts-announce] 20210929 [SECURITY] [DLA 2769-1] libxstream-java security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/09/msg00017.html"
},
{
"name": "FEDORA-2021-fbad11014a",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/"
},
{
"name": "FEDORA-2021-d894ca87dc",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/"
},
{
"name": "FEDORA-2021-5e376c0ed9",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/"
},
{
"name": "DSA-5004",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2021/dsa-5004"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20210923-0003/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "xstream",
"vendor": "x-stream",
"versions": [
{
"status": "affected",
"version": "\u003c 1.4.18"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream with a Java runtime version 14 to 8. No user is affected, who followed the recommendation to setup XStream\u0027s security framework with a whitelist limited to the minimal required types. If you rely on XStream\u0027s default blacklist of the [Security Framework](https://x-stream.github.io/security.html#framework), you will have to use at least version 1.4.18."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502: Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-25T16:34:06.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/x-stream/xstream/security/advisories/GHSA-xw4p-crpj-vjx2"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://x-stream.github.io/CVE-2021-39152.html"
},
{
"name": "[debian-lts-announce] 20210929 [SECURITY] [DLA 2769-1] libxstream-java security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/09/msg00017.html"
},
{
"name": "FEDORA-2021-fbad11014a",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/"
},
{
"name": "FEDORA-2021-d894ca87dc",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/"
},
{
"name": "FEDORA-2021-5e376c0ed9",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/"
},
{
"name": "DSA-5004",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2021/dsa-5004"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20210923-0003/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
}
],
"source": {
"advisory": "GHSA-xw4p-crpj-vjx2",
"discovery": "UNKNOWN"
},
"title": "A Server-Side Forgery Request vulnerability in XStream via HashMap unmarshaling",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-39152",
"STATE": "PUBLIC",
"TITLE": "A Server-Side Forgery Request vulnerability in XStream via HashMap unmarshaling"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "xstream",
"version": {
"version_data": [
{
"version_value": "\u003c 1.4.18"
}
]
}
}
]
},
"vendor_name": "x-stream"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream with a Java runtime version 14 to 8. No user is affected, who followed the recommendation to setup XStream\u0027s security framework with a whitelist limited to the minimal required types. If you rely on XStream\u0027s default blacklist of the [Security Framework](https://x-stream.github.io/security.html#framework), you will have to use at least version 1.4.18."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-502: Deserialization of Untrusted Data"
}
]
},
{
"description": [
{
"lang": "eng",
"value": "CWE-918: Server-Side Request Forgery (SSRF)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/x-stream/xstream/security/advisories/GHSA-xw4p-crpj-vjx2",
"refsource": "CONFIRM",
"url": "https://github.com/x-stream/xstream/security/advisories/GHSA-xw4p-crpj-vjx2"
},
{
"name": "https://x-stream.github.io/CVE-2021-39152.html",
"refsource": "MISC",
"url": "https://x-stream.github.io/CVE-2021-39152.html"
},
{
"name": "[debian-lts-announce] 20210929 [SECURITY] [DLA 2769-1] libxstream-java security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2021/09/msg00017.html"
},
{
"name": "FEDORA-2021-fbad11014a",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/"
},
{
"name": "FEDORA-2021-d894ca87dc",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/"
},
{
"name": "FEDORA-2021-5e376c0ed9",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/"
},
{
"name": "DSA-5004",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2021/dsa-5004"
},
{
"name": "https://www.oracle.com/security-alerts/cpujan2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"name": "https://security.netapp.com/advisory/ntap-20210923-0003/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20210923-0003/"
},
{
"name": "https://www.oracle.com/security-alerts/cpuapr2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpujul2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
}
]
},
"source": {
"advisory": "GHSA-xw4p-crpj-vjx2",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-39152",
"datePublished": "2021-08-23T18:20:10.000Z",
"dateReserved": "2021-08-16T00:00:00.000Z",
"dateUpdated": "2024-08-04T01:58:18.220Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2021-39152",
"date": "2026-05-28",
"epss": "0.61765",
"percentile": "0.98356"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2021-39152\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2021-08-23T19:15:13.247\",\"lastModified\":\"2025-05-23T16:47:47.407\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream with a Java runtime version 14 to 8. No user is affected, who followed the recommendation to setup XStream\u0027s security framework with a whitelist limited to the minimal required types. If you rely on XStream\u0027s default blacklist of the [Security Framework](https://x-stream.github.io/security.html#framework), you will have to use at least version 1.4.18.\"},{\"lang\":\"es\",\"value\":\"XStream es una biblioteca sencilla para serializar objetos a XML y viceversa. En las versiones afectadas, esta vulnerabilidad puede permitir a un atacante remoto requerir datos de recursos internos que no est\u00e1n disponibles p\u00fablicamente s\u00f3lo al manipular el flujo de entrada procesado con una versi\u00f3n de tiempo de ejecuci\u00f3n de Java versi\u00f3n 14 hasta 8. No est\u00e1 afectado ning\u00fan usuario que haya seguido la recomendaci\u00f3n de configurar el framework de seguridad de XStream con una lista blanca limitada a los tipos m\u00ednimos necesarios. Si conf\u00eda en la lista negra por defecto de XStream de [Security Framework](https://x-stream.github.io/security.html#framework), tendr\u00e1 que usar al menos la versi\u00f3n 1.4.18.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H\",\"baseScore\":8.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":6.0},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H\",\"baseScore\":8.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":6.0}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:S/C:P/I:P/A:P\",\"baseScore\":6.0,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"SINGLE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":6.8,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-502\"},{\"lang\":\"en\",\"value\":\"CWE-918\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-502\"},{\"lang\":\"en\",\"value\":\"CWE-918\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:xstream:xstream:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.4.18\",\"matchCriteriaId\":\"A01843B3-11E1-4CD5-9C77-CC57B908B845\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E460AA51-FCDA-46B9-AE97-E6676AA5E194\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A930E247-0B43-43CB-98FF-6CE7B8189835\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"80E516C0-98A4-4ADE-B69F-66A772E2BAAA\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"DEECE5FC-CACF-4496-A3E7-164736409252\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"07B237A9-69A3-4A9C-9DA0-4E06BD37AE73\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"FA6FEEC2-9F11-4643-8827-749718254FED\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:netapp:snapmanager:-:*:*:*:*:oracle:*:*\",\"matchCriteriaId\":\"26A2B713-7D6D-420A-93A4-E0D983C983DF\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:netapp:snapmanager:-:*:*:*:*:sap:*:*\",\"matchCriteriaId\":\"64DE38C8-94F1-4860-B045-F33928F676A8\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:business_activity_monitoring:12.2.1.4.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"BA8461A2-428C-4817-92A9-0C671545698D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:commerce_guided_search:11.3.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"2A3622F5-5976-4BBC-A147-FC8A6431EA79\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:communications_billing_and_revenue_management_elastic_charging_engine:11.3:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"5A9E4125-B744-4A9D-BFE6-5D82939958FD\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:communications_billing_and_revenue_management_elastic_charging_engine:12.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"261212BD-125A-487F-97E8-A9587935DFE8\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:communications_cloud_native_core_automated_test_suite:1.9.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A4CA84D6-F312-4C29-A02B-050FCB7A902B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:communications_cloud_native_core_binding_support_function:1.10.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B6B6FE82-7BFA-481D-99D6-789B146CA18B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.14.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"4479F76A-4B67-41CC-98C7-C76B81050F8E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.4:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"0D299528-8EF0-49AF-9BDE-4B6C6B1DA36C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.5:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"17A91FD9-9F77-42D3-A4D9-48BC7568ADE1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"539DA24F-E3E0-4455-84C6-A9D96CD601B3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A7637F8B-15F1-42E2-BE18-E1FF7C66587D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E43D793A-7756-4D58-A8ED-72DC4EC9CEA7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:retail_xstore_point_of_service:16.0.6:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"490B2C44-CECD-4551-B04F-4076D0E053C7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:retail_xstore_point_of_service:17.0.4:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"DEC41EB8-73B4-4BDF-9321-F34EC0BAF9E6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:retail_xstore_point_of_service:18.0.3:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"48EFC111-B01B-4C34-87E4-D6B2C40C0122\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:retail_xstore_point_of_service:19.0.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"073FEA23-E46A-4C73-9D29-95CFF4F5A59D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:retail_xstore_point_of_service:20.0.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A69FB468-EAF3-4E67-95E7-DF92C281C1F1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:utilities_framework:4.2.0.2.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"5435B365-BFF3-4A9E-B45C-42D8F1E20FB7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:utilities_framework:4.2.0.3.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"1FAC3840-2CF8-44CE-81BB-EEEBDA00A34A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:utilities_framework:4.3.0.1.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"900521A0-453C-4D97-B5EB-BADF0245370D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:utilities_framework:4.3.0.6.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"8DF02546-3F0D-4FDD-89B1-8A3FE43FB5BF\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:utilities_framework:4.4.0.0.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"3F906F04-39E4-4BE4-8A73-9D058AAADB43\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:utilities_framework:4.4.0.2.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"7B393A82-476A-4270-A903-38ED4169E431\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:utilities_framework:4.4.0.3.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"85CAE52B-C2CA-4C6B-A0B7-2B9D6F0499E2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:utilities_testing_accelerator:6.0.0.1.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A3ED272C-A545-4F8C-86C0-2736B3F2DCAF\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:webcenter_portal:12.2.1.3.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"D6A4F71A-4269-40FC-8F61-1D1301F2B728\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:webcenter_portal:12.2.1.4.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"5A502118-5B2B-47AE-82EC-1999BD841103\"}]}]}],\"references\":[{\"url\":\"https://github.com/x-stream/xstream/security/advisories/GHSA-xw4p-crpj-vjx2\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2021/09/msg00017.html\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Mailing List\"]},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Mailing List\"]},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Mailing List\"]},{\"url\":\"https://security.netapp.com/advisory/ntap-20210923-0003/\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.debian.org/security/2021/dsa-5004\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.oracle.com/security-alerts/cpuapr2022.html\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://www.oracle.com/security-alerts/cpujan2022.html\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://www.oracle.com/security-alerts/cpujul2022.html\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://x-stream.github.io/CVE-2021-39152.html\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/x-stream/xstream/security/advisories/GHSA-xw4p-crpj-vjx2\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2021/09/msg00017.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\"]},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\"]},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\"]},{\"url\":\"https://security.netapp.com/advisory/ntap-20210923-0003/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.debian.org/security/2021/dsa-5004\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.oracle.com/security-alerts/cpuapr2022.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://www.oracle.com/security-alerts/cpujan2022.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://www.oracle.com/security-alerts/cpujul2022.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://x-stream.github.io/CVE-2021-39152.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]}]}}"
}
}
RHSA-2022:0296
Vulnerability from csaf_redhat - Published: 2022-01-26 15:52 - Updated: 2026-05-23 14:30Summary
Red Hat Security Advisory: Red Hat Process Automation Manager 7.12.0 security update
Severity
Critical
Notes
Topic: An update is now available for Red Hat Process Automation Manager.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Red Hat Process Automation Manager is an open source business process management suite that combines process management and decision service management and enables business and IT users to create, manage, validate, and deploy process applications and decision services.
This release of Red Hat Process Automation Manager 7.12.0 serves as an update to Red Hat Process Automation Manager 7.11.1, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.
Security Fix(es):
* log4j-core: Remote code execution in Log4j 2.x when logs contain an attacker-controlled string value (CVE-2021-44228)
* jackson-dataformat-cbor: Unchecked allocation of byte buffer can cause a java.lang.OutOfMemoryError exception (CVE-2020-28491)
* kubernetes-client: fabric8-kubernetes-client: vulnerable to a path traversal leading to integrity and availability compromise (CVE-2021-20218)
* xstream: Arbitrary code execution via unsafe deserialization of com.sun.corba.* (CVE-2021-39149)
* xstream: Arbitrary code execution via unsafe deserialization of com.sun.jndi.ldap.LdapBindingEnumeration (CVE-2021-39145)
* xstream: Arbitrary code execution via unsafe deserialization of com.sun.jndi.ldap.LdapBindingEnumeration (CVE-2021-39151)
* xstream: Arbitrary code execution via unsafe deserialization of com.sun.jndi.ldap.LdapSearchEnumeration (CVE-2021-39147)
* xstream: Arbitrary code execution via unsafe deserialization of com.sun.jndi.toolkit.dir.ContextEnumerator (CVE-2021-39148)
* xstream: Arbitrary code execution via unsafe deserialization of com.sun.xml.internal.ws.client.sei.* (CVE-2021-39141)
* xstream: Arbitrary code execution via unsafe deserialization of javax.swing.UIDefaults$ProxyLazyValue (CVE-2021-39146)
* xstream: Arbitrary code execution via unsafe deserialization of javax.swing.UIDefaults$ProxyLazyValue (CVE-2021-39154)
* xstream: Arbitrary code execution via unsafe deserialization of sun.tracing.* (CVE-2021-39144)
* xstream: Arbitrary code execution via unsafe deserialization of Xalan xsltc.trax.TemplatesImpl (CVE-2021-39139)
* xstream: Arbitrary code execution via unsafe deserialization of Xalan xsltc.trax.TemplatesImpl (CVE-2021-39153)
* xstream: Infinite loop DoS via unsafe deserialization of sun.reflect.annotation.AnnotationInvocationHandler (CVE-2021-39140)
* xstream: remote command execution attack by manipulating the processed input stream (CVE-2021-29505)
* xstream: Server-side request forgery (SSRF) via unsafe deserialization of com.sun.xml.internal.ws.client.sei.* (CVE-2021-39150)
* xstream: Server-side request forgery (SSRF) via unsafe deserialization of jdk.nashorn.internal.runtime.Source$URLData (CVE-2021-39152)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
This affects the package com.fasterxml.jackson.dataformat:jackson-dataformat-cbor from 0 and before 2.11.4, from 2.12.0-rc1 and before 2.12.1. Unchecked allocation of byte buffer can cause a java.lang.OutOfMemoryError exception.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
RHPAM 7.12.0
Red Hat / Red Hat Process Automation Manager
|
cpe:/a:redhat:jboss_enterprise_bpms_platform:7.12
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in the fabric8 kubernetes-client in version 4.2.0 and after. This flaw allows a malicious pod/container to cause applications using the fabric8 kubernetes-client `copy` command to extract files outside the working path. The highest threat from this vulnerability is to integrity and system availability.
7.4 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
RHPAM 7.12.0
Red Hat / Red Hat Process Automation Manager
|
cpe:/a:redhat:jboss_enterprise_bpms_platform:7.12
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in XStream. By manipulating the processed input stream, a remote attacker may be able to obtain sufficient rights to execute commands. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
RHPAM 7.12.0
Red Hat / Red Hat Process Automation Manager
|
cpe:/a:redhat:jboss_enterprise_bpms_platform:7.12
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Low
A flaw was found in xstream, a simple library used to serialize objects to XML and back again. This flaw allows a remote attacker to load and execute arbitrary code from a remote host by manipulating the processed input stream. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
8.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
RHPAM 7.12.0
Red Hat / Red Hat Process Automation Manager
|
cpe:/a:redhat:jboss_enterprise_bpms_platform:7.12
|
— |
Vendor Fix
fix
|
Threats
Impact
Low
XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.
6.5 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
RHPAM 7.12.0
Red Hat / Red Hat Process Automation Manager
|
cpe:/a:redhat:jboss_enterprise_bpms_platform:7.12
|
— |
Vendor Fix
fix
|
Threats
Impact
Low
A flaw was found in xstream, a simple library used to serialize objects to XML and back again. This flaw allows a remote attacker to load and execute arbitrary code from a remote host by manipulating the processed input stream. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
8.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
RHPAM 7.12.0
Red Hat / Red Hat Process Automation Manager
|
cpe:/a:redhat:jboss_enterprise_bpms_platform:7.12
|
— |
Vendor Fix
fix
|
Threats
Impact
Low
A flaw was found in xstream, a simple library used to serialize objects to XML and back again. This flaw allows a remote attacker to load and execute arbitrary code from a remote host by manipulating the processed input stream.
8.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
RHPAM 7.12.0
Red Hat / Red Hat Process Automation Manager
|
cpe:/a:redhat:jboss_enterprise_bpms_platform:7.12
|
— |
Vendor Fix
fix
|
Threats
Exploit Status
CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
Impact
Low
A flaw was found in xstream, a simple library used to serialize objects to XML and back again. This flaw allows a remote attacker to load and execute arbitrary code from a remote host by manipulating the processed input stream. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
8.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
RHPAM 7.12.0
Red Hat / Red Hat Process Automation Manager
|
cpe:/a:redhat:jboss_enterprise_bpms_platform:7.12
|
— |
Vendor Fix
fix
|
Threats
Impact
Low
A flaw was found in xstream, a simple library used to serialize objects to XML and back again. This flaw allows a remote attacker to load and execute arbitrary code from a remote host by manipulating the processed input stream. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
8.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
RHPAM 7.12.0
Red Hat / Red Hat Process Automation Manager
|
cpe:/a:redhat:jboss_enterprise_bpms_platform:7.12
|
— |
Vendor Fix
fix
|
Threats
Impact
Low
A flaw was found in xstream, a simple library used to serialize objects to XML and back again. This flaw allows a remote attacker to load and execute arbitrary code from a remote host by manipulating the processed input stream. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
8.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
RHPAM 7.12.0
Red Hat / Red Hat Process Automation Manager
|
cpe:/a:redhat:jboss_enterprise_bpms_platform:7.12
|
— |
Vendor Fix
fix
|
Threats
Impact
Low
A flaw was found in xstream, a simple library used to serialize objects to XML and back again. This flaw allows a remote attacker to load and execute arbitrary code from a remote host by manipulating the processed input stream. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
8.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
RHPAM 7.12.0
Red Hat / Red Hat Process Automation Manager
|
cpe:/a:redhat:jboss_enterprise_bpms_platform:7.12
|
— |
Vendor Fix
fix
|
Threats
Impact
Low
A flaw was found in xstream, a simple library used to serialize objects to XML and back again. This flaw allows a remote attacker to load and execute arbitrary code from a remote host by manipulating the processed input stream. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
8.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
RHPAM 7.12.0
Red Hat / Red Hat Process Automation Manager
|
cpe:/a:redhat:jboss_enterprise_bpms_platform:7.12
|
— |
Vendor Fix
fix
|
Threats
Impact
Low
A flaw was found in xstream, a simple library used to serialize objects to XML and back again. This flaw allows a remote attacker to request data from internal resources that are not publicly available by manipulating the processed input stream with Java runtime versions 14 to 8. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
8.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
RHPAM 7.12.0
Red Hat / Red Hat Process Automation Manager
|
cpe:/a:redhat:jboss_enterprise_bpms_platform:7.12
|
— |
Vendor Fix
fix
|
Threats
Impact
Low
A flaw was found in xstream, a simple library used to serialize objects to XML and back again. This flaw allows a remote attacker to load and execute arbitrary code from a remote host by manipulating the processed input stream. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
8.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
RHPAM 7.12.0
Red Hat / Red Hat Process Automation Manager
|
cpe:/a:redhat:jboss_enterprise_bpms_platform:7.12
|
— |
Vendor Fix
fix
|
Threats
Impact
Low
A flaw was found in xstream, a simple library used to serialize objects to XML and back again. This flaw allows a remote attacker to request data from internal resources that are not publicly available by manipulating the processed input stream with Java runtime versions 14 to 8. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
8.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
RHPAM 7.12.0
Red Hat / Red Hat Process Automation Manager
|
cpe:/a:redhat:jboss_enterprise_bpms_platform:7.12
|
— |
Vendor Fix
fix
|
Threats
Impact
Low
A flaw was found in xstream, a simple library used to serialize objects to XML and back again. This flaw allows a remote attacker to load and execute arbitrary code from a remote host by manipulating the processed input stream. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
8.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
RHPAM 7.12.0
Red Hat / Red Hat Process Automation Manager
|
cpe:/a:redhat:jboss_enterprise_bpms_platform:7.12
|
— |
Vendor Fix
fix
|
Threats
Impact
Low
A flaw was found in xstream, a simple library used to serialize objects to XML and back again. This flaw allows a remote attacker to load and execute arbitrary code from a remote host by manipulating the processed input stream. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
8.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
RHPAM 7.12.0
Red Hat / Red Hat Process Automation Manager
|
cpe:/a:redhat:jboss_enterprise_bpms_platform:7.12
|
— |
Vendor Fix
fix
|
Threats
Impact
Low
A flaw was found in the Apache Log4j logging library in versions from 2.0.0 and before 2.15.0. A remote attacker who can control log messages or log message parameters, can execute arbitrary code on the server via JNDI LDAP endpoint.
9.8 (Critical)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
RHPAM 7.12.0
Red Hat / Red Hat Process Automation Manager
|
cpe:/a:redhat:jboss_enterprise_bpms_platform:7.12
|
— |
Vendor Fix
fix
Workaround
|
Threats
Exploit Status
CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
Impact
Low
References
116 references
Acknowledgments
Ivan Bodrov
Red Hat
Marc Nuri
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Critical"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update is now available for Red Hat Process Automation Manager.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat Process Automation Manager is an open source business process management suite that combines process management and decision service management and enables business and IT users to create, manage, validate, and deploy process applications and decision services.\n\nThis release of Red Hat Process Automation Manager 7.12.0 serves as an update to Red Hat Process Automation Manager 7.11.1, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* log4j-core: Remote code execution in Log4j 2.x when logs contain an attacker-controlled string value (CVE-2021-44228)\n\n* jackson-dataformat-cbor: Unchecked allocation of byte buffer can cause a java.lang.OutOfMemoryError exception (CVE-2020-28491)\n\n* kubernetes-client: fabric8-kubernetes-client: vulnerable to a path traversal leading to integrity and availability compromise (CVE-2021-20218)\n\n* xstream: Arbitrary code execution via unsafe deserialization of com.sun.corba.* (CVE-2021-39149)\n\n* xstream: Arbitrary code execution via unsafe deserialization of com.sun.jndi.ldap.LdapBindingEnumeration (CVE-2021-39145)\n\n* xstream: Arbitrary code execution via unsafe deserialization of com.sun.jndi.ldap.LdapBindingEnumeration (CVE-2021-39151)\n\n* xstream: Arbitrary code execution via unsafe deserialization of com.sun.jndi.ldap.LdapSearchEnumeration (CVE-2021-39147)\n\n* xstream: Arbitrary code execution via unsafe deserialization of com.sun.jndi.toolkit.dir.ContextEnumerator (CVE-2021-39148)\n\n* xstream: Arbitrary code execution via unsafe deserialization of com.sun.xml.internal.ws.client.sei.* (CVE-2021-39141)\n\n* xstream: Arbitrary code execution via unsafe deserialization of javax.swing.UIDefaults$ProxyLazyValue (CVE-2021-39146)\n\n* xstream: Arbitrary code execution via unsafe deserialization of javax.swing.UIDefaults$ProxyLazyValue (CVE-2021-39154)\n\n* xstream: Arbitrary code execution via unsafe deserialization of sun.tracing.* (CVE-2021-39144)\n\n* xstream: Arbitrary code execution via unsafe deserialization of Xalan xsltc.trax.TemplatesImpl (CVE-2021-39139)\n\n* xstream: Arbitrary code execution via unsafe deserialization of Xalan xsltc.trax.TemplatesImpl (CVE-2021-39153)\n\n* xstream: Infinite loop DoS via unsafe deserialization of sun.reflect.annotation.AnnotationInvocationHandler (CVE-2021-39140)\n\n* xstream: remote command execution attack by manipulating the processed input stream (CVE-2021-29505)\n\n* xstream: Server-side request forgery (SSRF) via unsafe deserialization of com.sun.xml.internal.ws.client.sei.* (CVE-2021-39150)\n\n* xstream: Server-side request forgery (SSRF) via unsafe deserialization of jdk.nashorn.internal.runtime.Source$URLData (CVE-2021-39152)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2022:0296",
"url": "https://access.redhat.com/errata/RHSA-2022:0296"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#critical",
"url": "https://access.redhat.com/security/updates/classification/#critical"
},
{
"category": "external",
"summary": "1923405",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1923405"
},
{
"category": "external",
"summary": "1930423",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1930423"
},
{
"category": "external",
"summary": "1966735",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1966735"
},
{
"category": "external",
"summary": "1997763",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1997763"
},
{
"category": "external",
"summary": "1997765",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1997765"
},
{
"category": "external",
"summary": "1997769",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1997769"
},
{
"category": "external",
"summary": "1997772",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1997772"
},
{
"category": "external",
"summary": "1997775",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1997775"
},
{
"category": "external",
"summary": "1997777",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1997777"
},
{
"category": "external",
"summary": "1997779",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1997779"
},
{
"category": "external",
"summary": "1997781",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1997781"
},
{
"category": "external",
"summary": "1997784",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1997784"
},
{
"category": "external",
"summary": "1997786",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1997786"
},
{
"category": "external",
"summary": "1997791",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1997791"
},
{
"category": "external",
"summary": "1997793",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1997793"
},
{
"category": "external",
"summary": "1997795",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1997795"
},
{
"category": "external",
"summary": "1997801",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1997801"
},
{
"category": "external",
"summary": "2030932",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2030932"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_0296.json"
}
],
"title": "Red Hat Security Advisory: Red Hat Process Automation Manager 7.12.0 security update",
"tracking": {
"current_release_date": "2026-05-23T14:30:54+00:00",
"generator": {
"date": "2026-05-23T14:30:54+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.8.1"
}
},
"id": "RHSA-2022:0296",
"initial_release_date": "2022-01-26T15:52:53+00:00",
"revision_history": [
{
"date": "2022-01-26T15:52:53+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2022-01-26T15:52:53+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-05-23T14:30:54+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "RHPAM 7.12.0",
"product": {
"name": "RHPAM 7.12.0",
"product_id": "RHPAM 7.12.0",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7.12"
}
}
}
],
"category": "product_family",
"name": "Red Hat Process Automation Manager"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2020-28491",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2021-02-18T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1930423"
}
],
"notes": [
{
"category": "description",
"text": "This affects the package com.fasterxml.jackson.dataformat:jackson-dataformat-cbor from 0 and before 2.11.4, from 2.12.0-rc1 and before 2.12.1. Unchecked allocation of byte buffer can cause a java.lang.OutOfMemoryError exception.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-dataformat-cbor: Unchecked allocation of byte buffer can cause a java.lang.OutOfMemoryError exception",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "In OpenShift Container Platform (OCP), the hive/presto/hadoop components that comprise the OCP metering stack, ship the vulnerable version of jackson-dataformat-cbor.\nSince the release of OCP 4.6, the metering product has been deprecated [1], hence the affected components are marked as wontfix.\nThis may be fixed in the future.\n\nIn OCP 4.6 the openshift4/ose-logging-elasticsearch6 container delivers the vulnerable version of jackson-dataformat-cbor, but OCP 4.6 is Out Of Support Scope (OOSS) for Moderate and Low impact vulnerabilities because it is now in the Maintenance Phase of the support, hence this component is marked as ooss. Since the release of OCP 4.7 this component is delivered as part of the OpenShift Logging product (openshift-logging/elasticsearch6-rhel8 container).\n\n[1] https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html#ocp-4-6-metering-operator-deprecated",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHPAM 7.12.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-28491"
},
{
"category": "external",
"summary": "RHBZ#1930423",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1930423"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-28491",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-28491"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-28491",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-28491"
},
{
"category": "external",
"summary": "https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONDATAFORMAT-1047329",
"url": "https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONDATAFORMAT-1047329"
}
],
"release_date": "2021-02-18T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-01-26T15:52:53+00:00",
"details": "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"RHPAM 7.12.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:0296"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"RHPAM 7.12.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jackson-dataformat-cbor: Unchecked allocation of byte buffer can cause a java.lang.OutOfMemoryError exception"
},
{
"acknowledgments": [
{
"names": [
"Ivan Bodrov"
]
},
{
"names": [
"Marc Nuri"
],
"organization": "Red Hat",
"summary": "This issue was discovered by Red Hat."
}
],
"cve": "CVE-2021-20218",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"discovery_date": "2021-02-01T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1923405"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the fabric8 kubernetes-client in version 4.2.0 and after. This flaw allows a malicious pod/container to cause applications using the fabric8 kubernetes-client `copy` command to extract files outside the working path. The highest threat from this vulnerability is to integrity and system availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "fabric8-kubernetes-client: vulnerable to a path traversal leading to integrity and availability compromise",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "In OpenShift Container Platform 4 (OCP) there are no plans to maintain the ose-logging-elasticsearch5 container, therefore it has been marked wontfix at this time and maybe fixed in a future update.\n\nRed Hat CodeReady WorkSpaces 2.7.0 does not ship fabric8-kubernetes-client and is therefore not affected by this flaw.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHPAM 7.12.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-20218"
},
{
"category": "external",
"summary": "RHBZ#1923405",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1923405"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-20218",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-20218"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-20218",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20218"
},
{
"category": "external",
"summary": "https://github.com/fabric8io/kubernetes-client/issues/2715",
"url": "https://github.com/fabric8io/kubernetes-client/issues/2715"
}
],
"release_date": "2021-01-12T04:35:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-01-26T15:52:53+00:00",
"details": "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"RHPAM 7.12.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:0296"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"products": [
"RHPAM 7.12.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "fabric8-kubernetes-client: vulnerable to a path traversal leading to integrity and availability compromise"
},
{
"cve": "CVE-2021-29505",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2021-05-28T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1966735"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in XStream. By manipulating the processed input stream, a remote attacker may be able to obtain sufficient rights to execute commands. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "XStream: remote command execution attack by manipulating the processed input stream",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "OpenShift Container Platform (OCP) delivers Jenkins LTS package with bundled XStream library. Due to JEP-200 [1] and JEP-228 [2] Jenkins projects, OCP Jenkins package is not affected by this flaw.\n\nCodeReady Studio 12 ships a version of xstream that is affected by this flaw as a transitive dependency for the Wise framework plugin. However, the vulnerable code is not called, so this flaw has been marked as Low severity for CodeReady Studio 12.\n\n[1] https://github.com/jenkinsci/jep/blob/master/jep/200/README.adoc\n[2] https://github.com/jenkinsci/jep/blob/master/jep/228/README.adoc#security",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHPAM 7.12.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-29505"
},
{
"category": "external",
"summary": "RHBZ#1966735",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1966735"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-29505",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-29505"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-29505",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29505"
},
{
"category": "external",
"summary": "https://github.com/x-stream/xstream/security/advisories/GHSA-7chv-rrw6-w6fc",
"url": "https://github.com/x-stream/xstream/security/advisories/GHSA-7chv-rrw6-w6fc"
},
{
"category": "external",
"summary": "https://x-stream.github.io/CVE-2021-29505.html",
"url": "https://x-stream.github.io/CVE-2021-29505.html"
}
],
"release_date": "2021-05-14T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-01-26T15:52:53+00:00",
"details": "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"RHPAM 7.12.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:0296"
},
{
"category": "workaround",
"details": "Depending on the version of XStream used there are various usage patterns that mitigate this flaw, though we would strongly recommend using the allow list approach if at all possible as there are likely more class combinations the deny list approach may not address.\n\nAllow list approach\n```java\nXStream xstream = new XStream();\nXStream.setupDefaultSecurity(xstream);\nxstream.allowTypesByWildcard(new String[] {\"com.misc.classname\"})\n```\nDeny list for XStream 1.4.16 (this should also address some previous flaws found in 1.4.7 - \u003e 1.4.15) \n```java\nxstream.denyTypesByRegExp(new String[]{ \".*\\\\.Lazy(?:Search)?Enumeration.*\", \"(?:java|sun)\\\\.rmi\\\\..*\" });\n```\n\nDeny list for XStream 1.4.15\n```java\nxstream.denyTypes(new String[]{ \"sun.awt.datatransfer.DataTransferer$IndexOrderComparator\", \"sun.swing.SwingLazyValue\", \"com.sun.corba.se.impl.activation.ServerTableEntry\", \"com.sun.tools.javac.processing.JavacProcessingEnvironment$NameProcessIterator\" });\nxstream.denyTypesByRegExp(new String[]{ \".*\\\\$ServiceNameIterator\", \"javafx\\\\.collections\\\\.ObservableList\\\\$.*\", \".*\\\\.bcel\\\\..*\\\\.util\\\\.ClassLoader\" });\nxstream.denyTypeHierarchy(java.io.InputStream.class );\nxstream.denyTypeHierarchy(java.nio.channels.Channel.class );\nxstream.denyTypeHierarchy(javax.activation.DataSource.class );\nxstream.denyTypeHierarchy(javax.sql.rowset.BaseRowSet.class );\n```\n\nDeny list for XStream 1.4.13\n```java\nxstream.denyTypes(new String[]{ \"javax.imageio.ImageIO$ContainsFilter\" });\nxstream.denyTypes(new Class[]{ java.lang.ProcessBuilder.class });\n```\n\nDeny list for XStream 1.4.7 -\u003e 1.4.12\n```java\nxstream.denyTypes(new String[]{ \"javax.imageio.ImageIO$ContainsFilter\" });\nxstream.denyTypes(new Class[]{ java.lang.ProcessBuilder.class, java.beans.EventHandler.class, java.lang.ProcessBuilder.class, java.lang.Void.class, void.class });\n```\n\nDeny list for versions prior to XStream 1.4.7\n```java\nxstream.registerConverter(new Converter() {\n public boolean canConvert(Class type) {\n return type != null \u0026\u0026 (type == java.beans.EventHandler.class || type == java.lang.ProcessBuilder.class || type == java.lang.Void.class || void.class || type.getName().equals(\"javax.imageio.ImageIO$ContainsFilter\") || Proxy.isProxy(type));\n }\n\n public Object unmarshal(HierarchicalStreamReader reader, UnmarshallingContext context) {\n throw new ConversionException(\"Unsupported type due to security reasons.\");\n }\n\n public void marshal(Object source, HierarchicalStreamWriter writer, MarshallingContext context) {\n throw new ConversionException(\"Unsupported type due to security reasons.\");\n }\n}, XStream.PRIORITY_LOW);\n```",
"product_ids": [
"RHPAM 7.12.0"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"RHPAM 7.12.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "XStream: remote command execution attack by manipulating the processed input stream"
},
{
"cve": "CVE-2021-39139",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2021-08-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1997763"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in xstream, a simple library used to serialize objects to XML and back again. This flaw allows a remote attacker to load and execute arbitrary code from a remote host by manipulating the processed input stream. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "xstream: Arbitrary code execution via unsafe deserialization of Xalan xsltc.trax.TemplatesImpl",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Users who follow the recommended security framework with a whitelist to limit the types to the minimum required should not be affected. XStream 1.4.18 no longer uses a blacklist by default since it cannot be secured for general purposes.\n\nOpenShift Container Platform (OCP) delivers Jenkins LTS package with bundled XStream library. Due to JEP-200 [1] and JEP-228 [2] Jenkins projects, the OCP Jenkins package is not affected by this flaw.\nThis version of the XStream library will be delivered in future Jenkins releases.\n\n[1] https://github.com/jenkinsci/jep/blob/master/jep/200/README.adoc\n[2] https://github.com/jenkinsci/jep/blob/master/jep/228/README.adoc#security",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHPAM 7.12.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-39139"
},
{
"category": "external",
"summary": "RHBZ#1997763",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1997763"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-39139",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-39139"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-39139",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39139"
},
{
"category": "external",
"summary": "https://github.com/x-stream/xstream/security/advisories/GHSA-64xx-cq4q-mf44",
"url": "https://github.com/x-stream/xstream/security/advisories/GHSA-64xx-cq4q-mf44"
}
],
"release_date": "2021-08-22T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-01-26T15:52:53+00:00",
"details": "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"RHPAM 7.12.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:0296"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"RHPAM 7.12.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "xstream: Arbitrary code execution via unsafe deserialization of Xalan xsltc.trax.TemplatesImpl"
},
{
"cve": "CVE-2021-39140",
"cwe": {
"id": "CWE-835",
"name": "Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027)"
},
"discovery_date": "2021-08-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1997765"
}
],
"notes": [
{
"category": "description",
"text": "XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream\u0027s security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "xstream: Infinite loop DoS via unsafe deserialization of sun.reflect.annotation.AnnotationInvocationHandler",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "OpenShift Container Platform (OCP) delivers Jenkins LTS package with bundled XStream library. Due to JEP-200 [1] and JEP-228 [2] Jenkins projects, OCP Jenkins package is not affected by this flaw.\nThis version of XStream library will be delivered in the future Jenkins releases.\n\n[1] https://github.com/jenkinsci/jep/blob/master/jep/200/README.adoc\n[2] https://github.com/jenkinsci/jep/blob/master/jep/228/README.adoc#security",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHPAM 7.12.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-39140"
},
{
"category": "external",
"summary": "RHBZ#1997765",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1997765"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-39140",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-39140"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-39140",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39140"
},
{
"category": "external",
"summary": "https://github.com/x-stream/xstream/security/advisories/GHSA-6wf9-jmg9-vxcc",
"url": "https://github.com/x-stream/xstream/security/advisories/GHSA-6wf9-jmg9-vxcc"
}
],
"release_date": "2021-08-22T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-01-26T15:52:53+00:00",
"details": "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"RHPAM 7.12.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:0296"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"RHPAM 7.12.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "xstream: Infinite loop DoS via unsafe deserialization of sun.reflect.annotation.AnnotationInvocationHandler"
},
{
"cve": "CVE-2021-39141",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2021-08-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1997769"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in xstream, a simple library used to serialize objects to XML and back again. This flaw allows a remote attacker to load and execute arbitrary code from a remote host by manipulating the processed input stream. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "xstream: Arbitrary code execution via unsafe deserialization of com.sun.xml.internal.ws.client.sei.*",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Users who follow the recommended security framework with a whitelist to limit the types to the minimum required should not be affected. XStream 1.4.18 no longer uses a blacklist by default since it cannot be secured for general purposes.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHPAM 7.12.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-39141"
},
{
"category": "external",
"summary": "RHBZ#1997769",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1997769"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-39141",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-39141"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-39141",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39141"
},
{
"category": "external",
"summary": "https://github.com/x-stream/xstream/security/advisories/GHSA-g5w6-mrj7-75h2",
"url": "https://github.com/x-stream/xstream/security/advisories/GHSA-g5w6-mrj7-75h2"
}
],
"release_date": "2021-08-22T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-01-26T15:52:53+00:00",
"details": "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"RHPAM 7.12.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:0296"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"RHPAM 7.12.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "xstream: Arbitrary code execution via unsafe deserialization of com.sun.xml.internal.ws.client.sei.*"
},
{
"cve": "CVE-2021-39144",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2021-08-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1997772"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in xstream, a simple library used to serialize objects to XML and back again. This flaw allows a remote attacker to load and execute arbitrary code from a remote host by manipulating the processed input stream.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "xstream: Arbitrary code execution via unsafe deserialization of sun.tracing.*",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Users who follow the recommended security framework with a whitelist to limit the types to the minimum required should not be affected. XStream 1.4.18 no longer uses a blacklist by default since it cannot be secured for general purposes.\n\nOpenShift Container Platform (OCP) delivers Jenkins LTS package with bundled XStream library. Due to JEP-200 [1] and JEP-228 [2] Jenkins projects, OCP Jenkins package is not affected by this flaw.\nThis version of XStream library will be delivered in future Jenkins releases.\n\n[1] https://github.com/jenkinsci/jep/blob/master/jep/200/README.adoc\n[2] https://github.com/jenkinsci/jep/blob/master/jep/228/README.adoc#security\n\nFor more information, please refer to the [Red Hat solution Article](https://access.redhat.com/solutions/7002450) explaining this issue.\n\nOpenShift Logging\u0027s Elasticsearch 6.8.1 using opendistro_security v0.10.1.2 is not affected by the vulnerable code because com.thoughtworks.xstream is only a build-time dependency.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHPAM 7.12.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-39144"
},
{
"category": "external",
"summary": "RHBZ#1997772",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1997772"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-39144",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-39144"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-39144",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39144"
},
{
"category": "external",
"summary": "https://github.com/x-stream/xstream/security/advisories/GHSA-j9h8-phrw-h4fh",
"url": "https://github.com/x-stream/xstream/security/advisories/GHSA-j9h8-phrw-h4fh"
},
{
"category": "external",
"summary": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
}
],
"release_date": "2021-08-22T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-01-26T15:52:53+00:00",
"details": "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"RHPAM 7.12.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:0296"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"RHPAM 7.12.0"
]
}
],
"threats": [
{
"category": "exploit_status",
"date": "2023-03-10T00:00:00+00:00",
"details": "CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
},
{
"category": "impact",
"details": "Low"
}
],
"title": "xstream: Arbitrary code execution via unsafe deserialization of sun.tracing.*"
},
{
"cve": "CVE-2021-39145",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2021-08-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1997775"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in xstream, a simple library used to serialize objects to XML and back again. This flaw allows a remote attacker to load and execute arbitrary code from a remote host by manipulating the processed input stream. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "xstream: Arbitrary code execution via unsafe deserialization of com.sun.jndi.ldap.LdapBindingEnumeration",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Users who follow the recommended security framework with a whitelist to limit the types to the minimum required should not be affected. XStream 1.4.18 no longer uses a blacklist by default since it cannot be secured for general purposes.\n\nOpenShift Container Platform (OCP) delivers the Jenkins LTS package with bundled XStream library. Due to JEP-200 [1] and JEP-228 [2] Jenkins projects, the OCP Jenkins package is not affected by this flaw.\nThis version of the XStream library will be delivered in future Jenkins releases.\n\n[1] https://github.com/jenkinsci/jep/blob/master/jep/200/README.adoc\n[2] https://github.com/jenkinsci/jep/blob/master/jep/228/README.adoc#security",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHPAM 7.12.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-39145"
},
{
"category": "external",
"summary": "RHBZ#1997775",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1997775"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-39145",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-39145"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-39145",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39145"
},
{
"category": "external",
"summary": "https://github.com/x-stream/xstream/security/advisories/GHSA-8jrj-525p-826v",
"url": "https://github.com/x-stream/xstream/security/advisories/GHSA-8jrj-525p-826v"
}
],
"release_date": "2021-08-22T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-01-26T15:52:53+00:00",
"details": "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"RHPAM 7.12.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:0296"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"RHPAM 7.12.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "xstream: Arbitrary code execution via unsafe deserialization of com.sun.jndi.ldap.LdapBindingEnumeration"
},
{
"cve": "CVE-2021-39146",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2021-08-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1997777"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in xstream, a simple library used to serialize objects to XML and back again. This flaw allows a remote attacker to load and execute arbitrary code from a remote host by manipulating the processed input stream. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "xstream: Arbitrary code execution via unsafe deserialization of javax.swing.UIDefaults$ProxyLazyValue",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Users who follow the recommended security framework with a whitelist to limit the types to the minimum required should not be affected. XStream 1.4.18 no longer uses a blacklist by default since it cannot be secured for general purposes.\n\nOpenShift Container Platform (OCP) delivers the Jenkins LTS package with bundled XStream library. Due to JEP-200 [1] and JEP-228 [2] Jenkins projects, the OCP Jenkins package is not affected by this flaw.\nThis version of the XStream library will be delivered in future Jenkins releases.\n\n[1] https://github.com/jenkinsci/jep/blob/master/jep/200/README.adoc\n[2] https://github.com/jenkinsci/jep/blob/master/jep/228/README.adoc#security",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHPAM 7.12.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-39146"
},
{
"category": "external",
"summary": "RHBZ#1997777",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1997777"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-39146",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-39146"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-39146",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39146"
},
{
"category": "external",
"summary": "https://github.com/x-stream/xstream/security/advisories/GHSA-p8pq-r894-fm8f",
"url": "https://github.com/x-stream/xstream/security/advisories/GHSA-p8pq-r894-fm8f"
}
],
"release_date": "2021-08-22T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-01-26T15:52:53+00:00",
"details": "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"RHPAM 7.12.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:0296"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"RHPAM 7.12.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "xstream: Arbitrary code execution via unsafe deserialization of javax.swing.UIDefaults$ProxyLazyValue"
},
{
"cve": "CVE-2021-39147",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2021-08-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1997779"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in xstream, a simple library used to serialize objects to XML and back again. This flaw allows a remote attacker to load and execute arbitrary code from a remote host by manipulating the processed input stream. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "xstream: Arbitrary code execution via unsafe deserialization of com.sun.jndi.ldap.LdapSearchEnumeration",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Users who follow the recommended security framework with a whitelist to limit the types to the minimum required should not be affected. XStream 1.4.18 no longer uses a blacklist by default since it cannot be secured for general purposes.\n\nOpenShift Container Platform (OCP) delivers the Jenkins LTS package with bundled XStream library. Due to JEP-200 [1] and JEP-228 [2] Jenkins projects, the OCP Jenkins package is not affected by this flaw.\nThis version of the XStream library will be delivered in future Jenkins releases.\n\n[1] https://github.com/jenkinsci/jep/blob/master/jep/200/README.adoc\n[2] https://github.com/jenkinsci/jep/blob/master/jep/228/README.adoc#security",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHPAM 7.12.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-39147"
},
{
"category": "external",
"summary": "RHBZ#1997779",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1997779"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-39147",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-39147"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-39147",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39147"
},
{
"category": "external",
"summary": "https://github.com/x-stream/xstream/security/advisories/GHSA-h7v4-7xg3-hxcc",
"url": "https://github.com/x-stream/xstream/security/advisories/GHSA-h7v4-7xg3-hxcc"
}
],
"release_date": "2021-08-22T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-01-26T15:52:53+00:00",
"details": "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"RHPAM 7.12.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:0296"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"RHPAM 7.12.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "xstream: Arbitrary code execution via unsafe deserialization of com.sun.jndi.ldap.LdapSearchEnumeration"
},
{
"cve": "CVE-2021-39148",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2021-08-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1997781"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in xstream, a simple library used to serialize objects to XML and back again. This flaw allows a remote attacker to load and execute arbitrary code from a remote host by manipulating the processed input stream. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "xstream: Arbitrary code execution via unsafe deserialization of com.sun.jndi.toolkit.dir.ContextEnumerator",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Users who follow the recommended security framework with a whitelist to limit the types to the minimum required should not be affected. XStream 1.4.18 no longer uses a blacklist by default since it cannot be secured for general purposes.\n\nOpenShift Container Platform (OCP) delivers the Jenkins LTS package with bundled XStream library. Due to JEP-200 [1] and JEP-228 [2] Jenkins projects, the OCP Jenkins package is not affected by this flaw.\nThis version of the XStream library will be delivered in future Jenkins releases.\n\n[1] https://github.com/jenkinsci/jep/blob/master/jep/200/README.adoc\n[2] https://github.com/jenkinsci/jep/blob/master/jep/228/README.adoc#security",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHPAM 7.12.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-39148"
},
{
"category": "external",
"summary": "RHBZ#1997781",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1997781"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-39148",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-39148"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-39148",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39148"
},
{
"category": "external",
"summary": "https://github.com/x-stream/xstream/security/advisories/GHSA-qrx8-8545-4wg2",
"url": "https://github.com/x-stream/xstream/security/advisories/GHSA-qrx8-8545-4wg2"
}
],
"release_date": "2021-08-22T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-01-26T15:52:53+00:00",
"details": "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"RHPAM 7.12.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:0296"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"RHPAM 7.12.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "xstream: Arbitrary code execution via unsafe deserialization of com.sun.jndi.toolkit.dir.ContextEnumerator"
},
{
"cve": "CVE-2021-39149",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2021-08-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1997784"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in xstream, a simple library used to serialize objects to XML and back again. This flaw allows a remote attacker to load and execute arbitrary code from a remote host by manipulating the processed input stream. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "xstream: Arbitrary code execution via unsafe deserialization of com.sun.corba.*",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Users who follow the recommended security framework with a whitelist to limit the types to the minimum required should not be affected. XStream 1.4.18 no longer uses a blacklist by default since it cannot be secured for general purposes.\n\nOpenShift Container Platform (OCP) delivers the Jenkins LTS package with bundled XStream library. Due to JEP-200 [1] and JEP-228 [2] Jenkins projects, the OCP Jenkins package is not affected by this flaw.\nThis version of the XStream library will be delivered in future Jenkins releases.\n\n[1] https://github.com/jenkinsci/jep/blob/master/jep/200/README.adoc\n[2] https://github.com/jenkinsci/jep/blob/master/jep/228/README.adoc#security",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHPAM 7.12.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-39149"
},
{
"category": "external",
"summary": "RHBZ#1997784",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1997784"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-39149",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-39149"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-39149",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39149"
},
{
"category": "external",
"summary": "https://github.com/x-stream/xstream/security/advisories/GHSA-3ccq-5vw3-2p6x",
"url": "https://github.com/x-stream/xstream/security/advisories/GHSA-3ccq-5vw3-2p6x"
}
],
"release_date": "2021-08-22T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-01-26T15:52:53+00:00",
"details": "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"RHPAM 7.12.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:0296"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"RHPAM 7.12.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "xstream: Arbitrary code execution via unsafe deserialization of com.sun.corba.*"
},
{
"cve": "CVE-2021-39150",
"cwe": {
"id": "CWE-918",
"name": "Server-Side Request Forgery (SSRF)"
},
"discovery_date": "2021-08-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1997786"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in xstream, a simple library used to serialize objects to XML and back again. This flaw allows a remote attacker to request data from internal resources that are not publicly available by manipulating the processed input stream with Java runtime versions 14 to 8. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "xstream: Server-side request forgery (SSRF) via unsafe deserialization of com.sun.xml.internal.ws.client.sei.*",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Users who follow the recommended security framework with a whitelist to limit the types to the minimum required should not be affected. If you rely on XStream\u0027s default blacklist of the [Security Framework](https://x-stream.github.io/security.html#framework), you will have to use at least version 1.4.18.\n\nOpenShift Container Platform (OCP) delivers the Jenkins LTS package with bundled XStream library. Due to JEP-200 [1] and JEP-228 [2] Jenkins projects, the OCP Jenkins package is not affected by this flaw.\nThis version of the XStream library will be delivered in future Jenkins releases.\n\n[1] https://github.com/jenkinsci/jep/blob/master/jep/200/README.adoc\n[2] https://github.com/jenkinsci/jep/blob/master/jep/228/README.adoc#security",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHPAM 7.12.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-39150"
},
{
"category": "external",
"summary": "RHBZ#1997786",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1997786"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-39150",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-39150"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-39150",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39150"
},
{
"category": "external",
"summary": "https://github.com/x-stream/xstream/security/advisories/GHSA-cxfm-5m4g-x7xp",
"url": "https://github.com/x-stream/xstream/security/advisories/GHSA-cxfm-5m4g-x7xp"
}
],
"release_date": "2021-08-22T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-01-26T15:52:53+00:00",
"details": "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"RHPAM 7.12.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:0296"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"RHPAM 7.12.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "xstream: Server-side request forgery (SSRF) via unsafe deserialization of com.sun.xml.internal.ws.client.sei.*"
},
{
"cve": "CVE-2021-39151",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2021-08-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1997791"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in xstream, a simple library used to serialize objects to XML and back again. This flaw allows a remote attacker to load and execute arbitrary code from a remote host by manipulating the processed input stream. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "xstream: Arbitrary code execution via unsafe deserialization of com.sun.jndi.ldap.LdapBindingEnumeration",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Users who follow the recommended security framework with a whitelist to limit the types to the minimum required should not be affected. XStream 1.4.18 no longer uses a blacklist by default since it cannot be secured for general purposes.\n\nOpenShift Container Platform (OCP) delivers the Jenkins LTS package with bundled XStream library. Due to JEP-200 [1] and JEP-228 [2] Jenkins projects, the OCP Jenkins package is not affected by this flaw.\n\nThis version of the XStream library will be delivered in future Jenkins releases.\n\n[1] https://github.com/jenkinsci/jep/blob/master/jep/200/README.adoc\n[2] https://github.com/jenkinsci/jep/blob/master/jep/228/README.adoc#security",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHPAM 7.12.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-39151"
},
{
"category": "external",
"summary": "RHBZ#1997791",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1997791"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-39151",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-39151"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-39151",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39151"
},
{
"category": "external",
"summary": "https://github.com/x-stream/xstream/security/advisories/GHSA-hph2-m3g5-xxv4",
"url": "https://github.com/x-stream/xstream/security/advisories/GHSA-hph2-m3g5-xxv4"
}
],
"release_date": "2021-08-22T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-01-26T15:52:53+00:00",
"details": "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"RHPAM 7.12.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:0296"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"RHPAM 7.12.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "xstream: Arbitrary code execution via unsafe deserialization of com.sun.jndi.ldap.LdapBindingEnumeration"
},
{
"cve": "CVE-2021-39152",
"cwe": {
"id": "CWE-918",
"name": "Server-Side Request Forgery (SSRF)"
},
"discovery_date": "2021-08-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1997793"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in xstream, a simple library used to serialize objects to XML and back again. This flaw allows a remote attacker to request data from internal resources that are not publicly available by manipulating the processed input stream with Java runtime versions 14 to 8. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "xstream: Server-side request forgery (SSRF) via unsafe deserialization of jdk.nashorn.internal.runtime.Source$URLData",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Users who follow the recommended security framework with a whitelist to limit the types to the minimum required should not be affected. If you rely on XStream\u0027s default blacklist of the [Security Framework](https://x-stream.github.io/security.html#framework), you will have to use at least version 1.4.18.\n\nOpenShift Container Platform (OCP) delivers the Jenkins LTS package with bundled XStream library. Due to JEP-200 [1] and JEP-228 [2] Jenkins projects, the OCP Jenkins package is not affected by this flaw.\n\nThis version of the XStream library will be delivered in future Jenkins releases.\n\n[1] https://github.com/jenkinsci/jep/blob/master/jep/200/README.adoc\n[2] https://github.com/jenkinsci/jep/blob/master/jep/228/README.adoc#security",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHPAM 7.12.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-39152"
},
{
"category": "external",
"summary": "RHBZ#1997793",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1997793"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-39152",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-39152"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-39152",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39152"
},
{
"category": "external",
"summary": "https://github.com/x-stream/xstream/security/advisories/GHSA-xw4p-crpj-vjx2",
"url": "https://github.com/x-stream/xstream/security/advisories/GHSA-xw4p-crpj-vjx2"
}
],
"release_date": "2021-08-22T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-01-26T15:52:53+00:00",
"details": "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"RHPAM 7.12.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:0296"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"RHPAM 7.12.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "xstream: Server-side request forgery (SSRF) via unsafe deserialization of jdk.nashorn.internal.runtime.Source$URLData"
},
{
"cve": "CVE-2021-39153",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2021-08-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1997795"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in xstream, a simple library used to serialize objects to XML and back again. This flaw allows a remote attacker to load and execute arbitrary code from a remote host by manipulating the processed input stream. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "xstream: Arbitrary code execution via unsafe deserialization of Xalan xsltc.trax.TemplatesImpl",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Users who follow the recommended security framework with a whitelist to limit the types to the minimum required should not be affected. XStream 1.4.18 no longer uses a blacklist by default since it cannot be secured for general purposes.\n\nOpenShift Container Platform (OCP) delivers the Jenkins LTS package with bundled XStream library. Due to JEP-200 [1] and JEP-228 [2] Jenkins projects, the OCP Jenkins package is not affected by this flaw.\nThis version of the XStream library will be delivered in future Jenkins releases.\n\n[1] https://github.com/jenkinsci/jep/blob/master/jep/200/README.adoc\n[2] https://github.com/jenkinsci/jep/blob/master/jep/228/README.adoc#security",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHPAM 7.12.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-39153"
},
{
"category": "external",
"summary": "RHBZ#1997795",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1997795"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-39153",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-39153"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-39153",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39153"
},
{
"category": "external",
"summary": "https://github.com/x-stream/xstream/security/advisories/GHSA-2q8x-2p7f-574v",
"url": "https://github.com/x-stream/xstream/security/advisories/GHSA-2q8x-2p7f-574v"
}
],
"release_date": "2021-08-22T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-01-26T15:52:53+00:00",
"details": "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"RHPAM 7.12.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:0296"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"RHPAM 7.12.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "xstream: Arbitrary code execution via unsafe deserialization of Xalan xsltc.trax.TemplatesImpl"
},
{
"cve": "CVE-2021-39154",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2021-08-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1997801"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in xstream, a simple library used to serialize objects to XML and back again. This flaw allows a remote attacker to load and execute arbitrary code from a remote host by manipulating the processed input stream. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "xstream: Arbitrary code execution via unsafe deserialization of javax.swing.UIDefaults$ProxyLazyValue",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Users who follow the recommended security framework with a whitelist to limit the types to the minimum required should not be affected. XStream 1.4.18 no longer uses a blacklist by default since it cannot be secured for general purposes.\n\nOpenShift Container Platform (OCP) delivers the Jenkins LTS package with bundled XStream library. Due to JEP-200 [1] and JEP-228 [2] Jenkins projects, the OCP Jenkins package is not affected by this flaw.\nThis version of the XStream library will be delivered in future Jenkins releases.\n\n[1] https://github.com/jenkinsci/jep/blob/master/jep/200/README.adoc\n[2] https://github.com/jenkinsci/jep/blob/master/jep/228/README.adoc#security",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHPAM 7.12.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-39154"
},
{
"category": "external",
"summary": "RHBZ#1997801",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1997801"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-39154",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-39154"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-39154",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39154"
},
{
"category": "external",
"summary": "https://github.com/x-stream/xstream/security/advisories/GHSA-6w62-hx7r-mw68",
"url": "https://github.com/x-stream/xstream/security/advisories/GHSA-6w62-hx7r-mw68"
}
],
"release_date": "2021-08-22T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-01-26T15:52:53+00:00",
"details": "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"RHPAM 7.12.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:0296"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"RHPAM 7.12.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "xstream: Arbitrary code execution via unsafe deserialization of javax.swing.UIDefaults$ProxyLazyValue"
},
{
"cve": "CVE-2021-44228",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"discovery_date": "2021-12-10T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2030932"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the Apache Log4j logging library in versions from 2.0.0 and before 2.15.0. A remote attacker who can control log messages or log message parameters, can execute arbitrary code on the server via JNDI LDAP endpoint.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "log4j-core: Remote code execution in Log4j 2.x when logs contain an attacker-controlled string value",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This issue only affects log4j versions between 2.0 and 2.14.1. In order to exploit this flaw you need:\n- A remotely accessible endpoint with any protocol (HTTP, TCP, etc) that allows an attacker to send arbitrary data,\n- A log statement in the endpoint that logs the attacker controlled data.\n\nIn Red Hat OpenShift Logging the vulnerable log4j library is shipped in the Elasticsearch components. Because Elasticsearch is not susceptible to remote code execution with this vulnerability due to use of the Java Security Manager and because access to these components is limited, the impact by this vulnerability is reduced to Moderate.\n\nAs per upstream applications using Log4j 1.x may be impacted by this flaw if their configuration uses JNDI. However, the risk is much lower. This flaw in Log4j 1.x is tracked via https://access.redhat.com/security/cve/CVE-2021-4104 and has been rated as having Moderate security impact.\n\nCodeReady Studio version 12.21.1 was released containing a fix for this vulnerability.\n\nThe following products are NOT affected by this flaw and have been explicitly listed here for the benefit of our customers.\n- Red Hat Enterprise Linux\n- Red Hat Advanced Cluster Management for Kubernetes \n- Red Hat Advanced Cluster Security for Kubernetes\n- Red Hat Ansible Automation Platform (Engine and Tower)\n- Red Hat Certificate System\n- Red Hat Directory Server\n- Red Hat Identity Management\n- Red Hat CloudForms \n- Red Hat Update Infrastructure\n- Red Hat Satellite\n- Red Hat Ceph Storage\n- Red Hat Gluster Storage\n- Red Hat OpenShift Data Foundation\n- Red Hat OpenStack Platform\n- Red Hat Virtualization\n- Red Hat Single Sign-On\n- Red Hat 3scale API Management",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHPAM 7.12.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-44228"
},
{
"category": "external",
"summary": "RHBZ#2030932",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2030932"
},
{
"category": "external",
"summary": "RHSB-2021-009",
"url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-44228",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-44228"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-44228",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44228"
},
{
"category": "external",
"summary": "https://github.com/advisories/GHSA-jfh8-c2jp-5v3q",
"url": "https://github.com/advisories/GHSA-jfh8-c2jp-5v3q"
},
{
"category": "external",
"summary": "https://logging.apache.org/log4j/2.x/security.html",
"url": "https://logging.apache.org/log4j/2.x/security.html"
},
{
"category": "external",
"summary": "https://www.lunasec.io/docs/blog/log4j-zero-day/",
"url": "https://www.lunasec.io/docs/blog/log4j-zero-day/"
},
{
"category": "external",
"summary": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
}
],
"release_date": "2021-12-10T02:01:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-01-26T15:52:53+00:00",
"details": "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"RHPAM 7.12.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:0296"
},
{
"category": "workaround",
"details": "For Log4j versions \u003e=2.10\nset the system property log4j2.formatMsgNoLookups or the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true\n\nFor Log4j versions \u003e=2.7 and \u003c=2.14.1\nall PatternLayout patterns can be modified to specify the message converter as %m{nolookups} instead of just %m\n\nFor Log4j versions \u003e=2.0-beta9 and \u003c=2.10.0\nremove the JndiLookup class from the classpath. For example: \n```\nzip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class\n```\n\nOn OpenShift 4 and in OpenShift Logging, the above mitigation can be applied by following the steps in this article: https://access.redhat.com/solutions/6578421\n\nOn OpenShift 3.11, mitigation to the affected Elasticsearch component can be applied by following the steps in this article: https://access.redhat.com/solutions/6578441",
"product_ids": [
"RHPAM 7.12.0"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"RHPAM 7.12.0"
]
}
],
"threats": [
{
"category": "exploit_status",
"date": "2021-12-10T00:00:00+00:00",
"details": "CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
},
{
"category": "impact",
"details": "Low"
}
],
"title": "log4j-core: Remote code execution in Log4j 2.x when logs contain an attacker-controlled string value"
}
]
}
RHSA-2022:0297
Vulnerability from csaf_redhat - Published: 2022-01-26 16:33 - Updated: 2026-05-14 22:31Summary
Red Hat Security Advisory: Red Hat Decision Manager 7.12.0 security update
Severity
Moderate
Notes
Topic: An update is now available for Red Hat Decision Manager.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Red Hat Decision Manager is an open source decision management platform that combines business rules management, complex event processing, Decision Model & Notation (DMN) execution, and Business Optimizer for solving planning problems. It automates business decisions and makes that logic available to the entire business.
This release of Red Hat Decision Manager 7.12.0 serves as an update to Red Hat Decision Manager 7.11.1, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.
Security Fix(es):
* jackson-dataformat-cbor: Unchecked allocation of byte buffer can cause a java.lang.OutOfMemoryError exception (CVE-2020-28491)
* kubernetes-client: fabric8-kubernetes-client: vulnerable to a path traversal leading to integrity and availability compromise (CVE-2021-20218)
* xstream: Arbitrary code execution via unsafe deserialization of com.sun.corba.* (CVE-2021-39149)
* xstream: Arbitrary code execution via unsafe deserialization of com.sun.jndi.ldap.LdapBindingEnumeration (CVE-2021-39145)
* xstream: Arbitrary code execution via unsafe deserialization of com.sun.jndi.ldap.LdapBindingEnumeration (CVE-2021-39151)
* xstream: Arbitrary code execution via unsafe deserialization of com.sun.jndi.ldap.LdapSearchEnumeration (CVE-2021-39147)
* xstream: Arbitrary code execution via unsafe deserialization of com.sun.jndi.toolkit.dir.ContextEnumerator (CVE-2021-39148)
* xstream: Arbitrary code execution via unsafe deserialization of com.sun.xml.internal.ws.client.sei.* (CVE-2021-39141)
* xstream: Arbitrary code execution via unsafe deserialization of javax.swing.UIDefaults$ProxyLazyValue (CVE-2021-39146)
* xstream: Arbitrary code execution via unsafe deserialization of javax.swing.UIDefaults$ProxyLazyValue (CVE-2021-39154)
* xstream: Arbitrary code execution via unsafe deserialization of sun.tracing.* (CVE-2021-39144)
* xstream: Arbitrary code execution via unsafe deserialization of Xalan xsltc.trax.TemplatesImpl (CVE-2021-39139)
* xstream: Arbitrary code execution via unsafe deserialization of Xalan xsltc.trax.TemplatesImpl (CVE-2021-39153)
* xstream: Infinite loop DoS via unsafe deserialization of sun.reflect.annotation.AnnotationInvocationHandler (CVE-2021-39140)
* xstream: remote command execution attack by manipulating the processed input stream (CVE-2021-29505)
* xstream: Server-side request forgery (SSRF) via unsafe deserialization of com.sun.xml.internal.ws.client.sei.* (CVE-2021-39150)
* xstream: Server-side request forgery (SSRF) via unsafe deserialization of jdk.nashorn.internal.runtime.Source$URLData (CVE-2021-39152)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
This affects the package com.fasterxml.jackson.dataformat:jackson-dataformat-cbor from 0 and before 2.11.4, from 2.12.0-rc1 and before 2.12.1. Unchecked allocation of byte buffer can cause a java.lang.OutOfMemoryError exception.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
RHDM 7.12.0
Red Hat / Red Hat Decision Manager
|
cpe:/a:redhat:jboss_enterprise_brms_platform:7.12
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in the fabric8 kubernetes-client in version 4.2.0 and after. This flaw allows a malicious pod/container to cause applications using the fabric8 kubernetes-client `copy` command to extract files outside the working path. The highest threat from this vulnerability is to integrity and system availability.
7.4 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
RHDM 7.12.0
Red Hat / Red Hat Decision Manager
|
cpe:/a:redhat:jboss_enterprise_brms_platform:7.12
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in XStream. By manipulating the processed input stream, a remote attacker may be able to obtain sufficient rights to execute commands. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
RHDM 7.12.0
Red Hat / Red Hat Decision Manager
|
cpe:/a:redhat:jboss_enterprise_brms_platform:7.12
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Low
A flaw was found in xstream, a simple library used to serialize objects to XML and back again. This flaw allows a remote attacker to load and execute arbitrary code from a remote host by manipulating the processed input stream. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
8.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
RHDM 7.12.0
Red Hat / Red Hat Decision Manager
|
cpe:/a:redhat:jboss_enterprise_brms_platform:7.12
|
— |
Vendor Fix
fix
|
Threats
Impact
Low
XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.
6.5 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
RHDM 7.12.0
Red Hat / Red Hat Decision Manager
|
cpe:/a:redhat:jboss_enterprise_brms_platform:7.12
|
— |
Vendor Fix
fix
|
Threats
Impact
Low
A flaw was found in xstream, a simple library used to serialize objects to XML and back again. This flaw allows a remote attacker to load and execute arbitrary code from a remote host by manipulating the processed input stream. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
8.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
RHDM 7.12.0
Red Hat / Red Hat Decision Manager
|
cpe:/a:redhat:jboss_enterprise_brms_platform:7.12
|
— |
Vendor Fix
fix
|
Threats
Impact
Low
A flaw was found in xstream, a simple library used to serialize objects to XML and back again. This flaw allows a remote attacker to load and execute arbitrary code from a remote host by manipulating the processed input stream.
8.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
RHDM 7.12.0
Red Hat / Red Hat Decision Manager
|
cpe:/a:redhat:jboss_enterprise_brms_platform:7.12
|
— |
Vendor Fix
fix
|
Threats
Exploit Status
CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
Impact
Low
A flaw was found in xstream, a simple library used to serialize objects to XML and back again. This flaw allows a remote attacker to load and execute arbitrary code from a remote host by manipulating the processed input stream. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
8.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
RHDM 7.12.0
Red Hat / Red Hat Decision Manager
|
cpe:/a:redhat:jboss_enterprise_brms_platform:7.12
|
— |
Vendor Fix
fix
|
Threats
Impact
Low
A flaw was found in xstream, a simple library used to serialize objects to XML and back again. This flaw allows a remote attacker to load and execute arbitrary code from a remote host by manipulating the processed input stream. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
8.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
RHDM 7.12.0
Red Hat / Red Hat Decision Manager
|
cpe:/a:redhat:jboss_enterprise_brms_platform:7.12
|
— |
Vendor Fix
fix
|
Threats
Impact
Low
A flaw was found in xstream, a simple library used to serialize objects to XML and back again. This flaw allows a remote attacker to load and execute arbitrary code from a remote host by manipulating the processed input stream. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
8.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
RHDM 7.12.0
Red Hat / Red Hat Decision Manager
|
cpe:/a:redhat:jboss_enterprise_brms_platform:7.12
|
— |
Vendor Fix
fix
|
Threats
Impact
Low
A flaw was found in xstream, a simple library used to serialize objects to XML and back again. This flaw allows a remote attacker to load and execute arbitrary code from a remote host by manipulating the processed input stream. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
8.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
RHDM 7.12.0
Red Hat / Red Hat Decision Manager
|
cpe:/a:redhat:jboss_enterprise_brms_platform:7.12
|
— |
Vendor Fix
fix
|
Threats
Impact
Low
A flaw was found in xstream, a simple library used to serialize objects to XML and back again. This flaw allows a remote attacker to load and execute arbitrary code from a remote host by manipulating the processed input stream. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
8.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
RHDM 7.12.0
Red Hat / Red Hat Decision Manager
|
cpe:/a:redhat:jboss_enterprise_brms_platform:7.12
|
— |
Vendor Fix
fix
|
Threats
Impact
Low
A flaw was found in xstream, a simple library used to serialize objects to XML and back again. This flaw allows a remote attacker to request data from internal resources that are not publicly available by manipulating the processed input stream with Java runtime versions 14 to 8. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
8.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
RHDM 7.12.0
Red Hat / Red Hat Decision Manager
|
cpe:/a:redhat:jboss_enterprise_brms_platform:7.12
|
— |
Vendor Fix
fix
|
Threats
Impact
Low
A flaw was found in xstream, a simple library used to serialize objects to XML and back again. This flaw allows a remote attacker to load and execute arbitrary code from a remote host by manipulating the processed input stream. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
8.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
RHDM 7.12.0
Red Hat / Red Hat Decision Manager
|
cpe:/a:redhat:jboss_enterprise_brms_platform:7.12
|
— |
Vendor Fix
fix
|
Threats
Impact
Low
A flaw was found in xstream, a simple library used to serialize objects to XML and back again. This flaw allows a remote attacker to request data from internal resources that are not publicly available by manipulating the processed input stream with Java runtime versions 14 to 8. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
8.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
RHDM 7.12.0
Red Hat / Red Hat Decision Manager
|
cpe:/a:redhat:jboss_enterprise_brms_platform:7.12
|
— |
Vendor Fix
fix
|
Threats
Impact
Low
A flaw was found in xstream, a simple library used to serialize objects to XML and back again. This flaw allows a remote attacker to load and execute arbitrary code from a remote host by manipulating the processed input stream. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
8.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
RHDM 7.12.0
Red Hat / Red Hat Decision Manager
|
cpe:/a:redhat:jboss_enterprise_brms_platform:7.12
|
— |
Vendor Fix
fix
|
Threats
Impact
Low
A flaw was found in xstream, a simple library used to serialize objects to XML and back again. This flaw allows a remote attacker to load and execute arbitrary code from a remote host by manipulating the processed input stream. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
8.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
RHDM 7.12.0
Red Hat / Red Hat Decision Manager
|
cpe:/a:redhat:jboss_enterprise_brms_platform:7.12
|
— |
Vendor Fix
fix
|
Threats
Impact
Low
References
107 references
Acknowledgments
Ivan Bodrov
Red Hat
Marc Nuri
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update is now available for Red Hat Decision Manager.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat Decision Manager is an open source decision management platform that combines business rules management, complex event processing, Decision Model \u0026 Notation (DMN) execution, and Business Optimizer for solving planning problems. It automates business decisions and makes that logic available to the entire business. \n\nThis release of Red Hat Decision Manager 7.12.0 serves as an update to Red Hat Decision Manager 7.11.1, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* jackson-dataformat-cbor: Unchecked allocation of byte buffer can cause a java.lang.OutOfMemoryError exception (CVE-2020-28491)\n\n* kubernetes-client: fabric8-kubernetes-client: vulnerable to a path traversal leading to integrity and availability compromise (CVE-2021-20218)\n\n* xstream: Arbitrary code execution via unsafe deserialization of com.sun.corba.* (CVE-2021-39149)\n\n* xstream: Arbitrary code execution via unsafe deserialization of com.sun.jndi.ldap.LdapBindingEnumeration (CVE-2021-39145)\n\n* xstream: Arbitrary code execution via unsafe deserialization of com.sun.jndi.ldap.LdapBindingEnumeration (CVE-2021-39151)\n\n* xstream: Arbitrary code execution via unsafe deserialization of com.sun.jndi.ldap.LdapSearchEnumeration (CVE-2021-39147)\n\n* xstream: Arbitrary code execution via unsafe deserialization of com.sun.jndi.toolkit.dir.ContextEnumerator (CVE-2021-39148)\n\n* xstream: Arbitrary code execution via unsafe deserialization of com.sun.xml.internal.ws.client.sei.* (CVE-2021-39141)\n\n* xstream: Arbitrary code execution via unsafe deserialization of javax.swing.UIDefaults$ProxyLazyValue (CVE-2021-39146)\n\n* xstream: Arbitrary code execution via unsafe deserialization of javax.swing.UIDefaults$ProxyLazyValue (CVE-2021-39154)\n\n* xstream: Arbitrary code execution via unsafe deserialization of sun.tracing.* (CVE-2021-39144)\n\n* xstream: Arbitrary code execution via unsafe deserialization of Xalan xsltc.trax.TemplatesImpl (CVE-2021-39139)\n\n* xstream: Arbitrary code execution via unsafe deserialization of Xalan xsltc.trax.TemplatesImpl (CVE-2021-39153)\n\n* xstream: Infinite loop DoS via unsafe deserialization of sun.reflect.annotation.AnnotationInvocationHandler (CVE-2021-39140)\n\n* xstream: remote command execution attack by manipulating the processed input stream (CVE-2021-29505)\n\n* xstream: Server-side request forgery (SSRF) via unsafe deserialization of com.sun.xml.internal.ws.client.sei.* (CVE-2021-39150)\n\n* xstream: Server-side request forgery (SSRF) via unsafe deserialization of jdk.nashorn.internal.runtime.Source$URLData (CVE-2021-39152)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2022:0297",
"url": "https://access.redhat.com/errata/RHSA-2022:0297"
},
{
"category": "external",
"summary": "1997795",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1997795"
},
{
"category": "external",
"summary": "1997801",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1997801"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "1923405",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1923405"
},
{
"category": "external",
"summary": "1930423",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1930423"
},
{
"category": "external",
"summary": "1966735",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1966735"
},
{
"category": "external",
"summary": "1997763",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1997763"
},
{
"category": "external",
"summary": "1997765",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1997765"
},
{
"category": "external",
"summary": "1997769",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1997769"
},
{
"category": "external",
"summary": "1997772",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1997772"
},
{
"category": "external",
"summary": "1997775",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1997775"
},
{
"category": "external",
"summary": "1997777",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1997777"
},
{
"category": "external",
"summary": "1997779",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1997779"
},
{
"category": "external",
"summary": "1997781",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1997781"
},
{
"category": "external",
"summary": "1997784",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1997784"
},
{
"category": "external",
"summary": "1997786",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1997786"
},
{
"category": "external",
"summary": "1997793",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1997793"
},
{
"category": "external",
"summary": "1997791",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1997791"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_0297.json"
}
],
"title": "Red Hat Security Advisory: Red Hat Decision Manager 7.12.0 security update",
"tracking": {
"current_release_date": "2026-05-14T22:31:36+00:00",
"generator": {
"date": "2026-05-14T22:31:36+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.8.0"
}
},
"id": "RHSA-2022:0297",
"initial_release_date": "2022-01-26T16:33:21+00:00",
"revision_history": [
{
"date": "2022-01-26T16:33:21+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2022-01-26T16:33:21+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-05-14T22:31:36+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "RHDM 7.12.0",
"product": {
"name": "RHDM 7.12.0",
"product_id": "RHDM 7.12.0",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_enterprise_brms_platform:7.12"
}
}
}
],
"category": "product_family",
"name": "Red Hat Decision Manager"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2020-28491",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2021-02-18T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1930423"
}
],
"notes": [
{
"category": "description",
"text": "This affects the package com.fasterxml.jackson.dataformat:jackson-dataformat-cbor from 0 and before 2.11.4, from 2.12.0-rc1 and before 2.12.1. Unchecked allocation of byte buffer can cause a java.lang.OutOfMemoryError exception.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-dataformat-cbor: Unchecked allocation of byte buffer can cause a java.lang.OutOfMemoryError exception",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "In OpenShift Container Platform (OCP), the hive/presto/hadoop components that comprise the OCP metering stack, ship the vulnerable version of jackson-dataformat-cbor.\nSince the release of OCP 4.6, the metering product has been deprecated [1], hence the affected components are marked as wontfix.\nThis may be fixed in the future.\n\nIn OCP 4.6 the openshift4/ose-logging-elasticsearch6 container delivers the vulnerable version of jackson-dataformat-cbor, but OCP 4.6 is Out Of Support Scope (OOSS) for Moderate and Low impact vulnerabilities because it is now in the Maintenance Phase of the support, hence this component is marked as ooss. Since the release of OCP 4.7 this component is delivered as part of the OpenShift Logging product (openshift-logging/elasticsearch6-rhel8 container).\n\n[1] https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html#ocp-4-6-metering-operator-deprecated",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHDM 7.12.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-28491"
},
{
"category": "external",
"summary": "RHBZ#1930423",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1930423"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-28491",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-28491"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-28491",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-28491"
},
{
"category": "external",
"summary": "https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONDATAFORMAT-1047329",
"url": "https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONDATAFORMAT-1047329"
}
],
"release_date": "2021-02-18T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-01-26T16:33:21+00:00",
"details": "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"RHDM 7.12.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:0297"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"RHDM 7.12.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jackson-dataformat-cbor: Unchecked allocation of byte buffer can cause a java.lang.OutOfMemoryError exception"
},
{
"acknowledgments": [
{
"names": [
"Ivan Bodrov"
]
},
{
"names": [
"Marc Nuri"
],
"organization": "Red Hat",
"summary": "This issue was discovered by Red Hat."
}
],
"cve": "CVE-2021-20218",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"discovery_date": "2021-02-01T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1923405"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the fabric8 kubernetes-client in version 4.2.0 and after. This flaw allows a malicious pod/container to cause applications using the fabric8 kubernetes-client `copy` command to extract files outside the working path. The highest threat from this vulnerability is to integrity and system availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "fabric8-kubernetes-client: vulnerable to a path traversal leading to integrity and availability compromise",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "In OpenShift Container Platform 4 (OCP) there are no plans to maintain the ose-logging-elasticsearch5 container, therefore it has been marked wontfix at this time and maybe fixed in a future update.\n\nRed Hat CodeReady WorkSpaces 2.7.0 does not ship fabric8-kubernetes-client and is therefore not affected by this flaw.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHDM 7.12.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-20218"
},
{
"category": "external",
"summary": "RHBZ#1923405",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1923405"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-20218",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-20218"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-20218",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20218"
},
{
"category": "external",
"summary": "https://github.com/fabric8io/kubernetes-client/issues/2715",
"url": "https://github.com/fabric8io/kubernetes-client/issues/2715"
}
],
"release_date": "2021-01-12T04:35:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-01-26T16:33:21+00:00",
"details": "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"RHDM 7.12.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:0297"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"products": [
"RHDM 7.12.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "fabric8-kubernetes-client: vulnerable to a path traversal leading to integrity and availability compromise"
},
{
"cve": "CVE-2021-29505",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2021-05-28T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1966735"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in XStream. By manipulating the processed input stream, a remote attacker may be able to obtain sufficient rights to execute commands. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "XStream: remote command execution attack by manipulating the processed input stream",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "OpenShift Container Platform (OCP) delivers Jenkins LTS package with bundled XStream library. Due to JEP-200 [1] and JEP-228 [2] Jenkins projects, OCP Jenkins package is not affected by this flaw.\n\nCodeReady Studio 12 ships a version of xstream that is affected by this flaw as a transitive dependency for the Wise framework plugin. However, the vulnerable code is not called, so this flaw has been marked as Low severity for CodeReady Studio 12.\n\n[1] https://github.com/jenkinsci/jep/blob/master/jep/200/README.adoc\n[2] https://github.com/jenkinsci/jep/blob/master/jep/228/README.adoc#security",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHDM 7.12.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-29505"
},
{
"category": "external",
"summary": "RHBZ#1966735",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1966735"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-29505",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-29505"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-29505",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29505"
},
{
"category": "external",
"summary": "https://github.com/x-stream/xstream/security/advisories/GHSA-7chv-rrw6-w6fc",
"url": "https://github.com/x-stream/xstream/security/advisories/GHSA-7chv-rrw6-w6fc"
},
{
"category": "external",
"summary": "https://x-stream.github.io/CVE-2021-29505.html",
"url": "https://x-stream.github.io/CVE-2021-29505.html"
}
],
"release_date": "2021-05-14T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-01-26T16:33:21+00:00",
"details": "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"RHDM 7.12.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:0297"
},
{
"category": "workaround",
"details": "Depending on the version of XStream used there are various usage patterns that mitigate this flaw, though we would strongly recommend using the allow list approach if at all possible as there are likely more class combinations the deny list approach may not address.\n\nAllow list approach\n```java\nXStream xstream = new XStream();\nXStream.setupDefaultSecurity(xstream);\nxstream.allowTypesByWildcard(new String[] {\"com.misc.classname\"})\n```\nDeny list for XStream 1.4.16 (this should also address some previous flaws found in 1.4.7 - \u003e 1.4.15) \n```java\nxstream.denyTypesByRegExp(new String[]{ \".*\\\\.Lazy(?:Search)?Enumeration.*\", \"(?:java|sun)\\\\.rmi\\\\..*\" });\n```\n\nDeny list for XStream 1.4.15\n```java\nxstream.denyTypes(new String[]{ \"sun.awt.datatransfer.DataTransferer$IndexOrderComparator\", \"sun.swing.SwingLazyValue\", \"com.sun.corba.se.impl.activation.ServerTableEntry\", \"com.sun.tools.javac.processing.JavacProcessingEnvironment$NameProcessIterator\" });\nxstream.denyTypesByRegExp(new String[]{ \".*\\\\$ServiceNameIterator\", \"javafx\\\\.collections\\\\.ObservableList\\\\$.*\", \".*\\\\.bcel\\\\..*\\\\.util\\\\.ClassLoader\" });\nxstream.denyTypeHierarchy(java.io.InputStream.class );\nxstream.denyTypeHierarchy(java.nio.channels.Channel.class );\nxstream.denyTypeHierarchy(javax.activation.DataSource.class );\nxstream.denyTypeHierarchy(javax.sql.rowset.BaseRowSet.class );\n```\n\nDeny list for XStream 1.4.13\n```java\nxstream.denyTypes(new String[]{ \"javax.imageio.ImageIO$ContainsFilter\" });\nxstream.denyTypes(new Class[]{ java.lang.ProcessBuilder.class });\n```\n\nDeny list for XStream 1.4.7 -\u003e 1.4.12\n```java\nxstream.denyTypes(new String[]{ \"javax.imageio.ImageIO$ContainsFilter\" });\nxstream.denyTypes(new Class[]{ java.lang.ProcessBuilder.class, java.beans.EventHandler.class, java.lang.ProcessBuilder.class, java.lang.Void.class, void.class });\n```\n\nDeny list for versions prior to XStream 1.4.7\n```java\nxstream.registerConverter(new Converter() {\n public boolean canConvert(Class type) {\n return type != null \u0026\u0026 (type == java.beans.EventHandler.class || type == java.lang.ProcessBuilder.class || type == java.lang.Void.class || void.class || type.getName().equals(\"javax.imageio.ImageIO$ContainsFilter\") || Proxy.isProxy(type));\n }\n\n public Object unmarshal(HierarchicalStreamReader reader, UnmarshallingContext context) {\n throw new ConversionException(\"Unsupported type due to security reasons.\");\n }\n\n public void marshal(Object source, HierarchicalStreamWriter writer, MarshallingContext context) {\n throw new ConversionException(\"Unsupported type due to security reasons.\");\n }\n}, XStream.PRIORITY_LOW);\n```",
"product_ids": [
"RHDM 7.12.0"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"RHDM 7.12.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "XStream: remote command execution attack by manipulating the processed input stream"
},
{
"cve": "CVE-2021-39139",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2021-08-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1997763"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in xstream, a simple library used to serialize objects to XML and back again. This flaw allows a remote attacker to load and execute arbitrary code from a remote host by manipulating the processed input stream. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "xstream: Arbitrary code execution via unsafe deserialization of Xalan xsltc.trax.TemplatesImpl",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Users who follow the recommended security framework with a whitelist to limit the types to the minimum required should not be affected. XStream 1.4.18 no longer uses a blacklist by default since it cannot be secured for general purposes.\n\nOpenShift Container Platform (OCP) delivers Jenkins LTS package with bundled XStream library. Due to JEP-200 [1] and JEP-228 [2] Jenkins projects, the OCP Jenkins package is not affected by this flaw.\nThis version of the XStream library will be delivered in future Jenkins releases.\n\n[1] https://github.com/jenkinsci/jep/blob/master/jep/200/README.adoc\n[2] https://github.com/jenkinsci/jep/blob/master/jep/228/README.adoc#security",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHDM 7.12.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-39139"
},
{
"category": "external",
"summary": "RHBZ#1997763",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1997763"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-39139",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-39139"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-39139",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39139"
},
{
"category": "external",
"summary": "https://github.com/x-stream/xstream/security/advisories/GHSA-64xx-cq4q-mf44",
"url": "https://github.com/x-stream/xstream/security/advisories/GHSA-64xx-cq4q-mf44"
}
],
"release_date": "2021-08-22T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-01-26T16:33:21+00:00",
"details": "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"RHDM 7.12.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:0297"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"RHDM 7.12.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "xstream: Arbitrary code execution via unsafe deserialization of Xalan xsltc.trax.TemplatesImpl"
},
{
"cve": "CVE-2021-39140",
"cwe": {
"id": "CWE-835",
"name": "Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027)"
},
"discovery_date": "2021-08-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1997765"
}
],
"notes": [
{
"category": "description",
"text": "XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream\u0027s security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "xstream: Infinite loop DoS via unsafe deserialization of sun.reflect.annotation.AnnotationInvocationHandler",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "OpenShift Container Platform (OCP) delivers Jenkins LTS package with bundled XStream library. Due to JEP-200 [1] and JEP-228 [2] Jenkins projects, OCP Jenkins package is not affected by this flaw.\nThis version of XStream library will be delivered in the future Jenkins releases.\n\n[1] https://github.com/jenkinsci/jep/blob/master/jep/200/README.adoc\n[2] https://github.com/jenkinsci/jep/blob/master/jep/228/README.adoc#security",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHDM 7.12.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-39140"
},
{
"category": "external",
"summary": "RHBZ#1997765",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1997765"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-39140",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-39140"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-39140",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39140"
},
{
"category": "external",
"summary": "https://github.com/x-stream/xstream/security/advisories/GHSA-6wf9-jmg9-vxcc",
"url": "https://github.com/x-stream/xstream/security/advisories/GHSA-6wf9-jmg9-vxcc"
}
],
"release_date": "2021-08-22T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-01-26T16:33:21+00:00",
"details": "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"RHDM 7.12.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:0297"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"RHDM 7.12.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "xstream: Infinite loop DoS via unsafe deserialization of sun.reflect.annotation.AnnotationInvocationHandler"
},
{
"cve": "CVE-2021-39141",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2021-08-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1997769"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in xstream, a simple library used to serialize objects to XML and back again. This flaw allows a remote attacker to load and execute arbitrary code from a remote host by manipulating the processed input stream. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "xstream: Arbitrary code execution via unsafe deserialization of com.sun.xml.internal.ws.client.sei.*",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Users who follow the recommended security framework with a whitelist to limit the types to the minimum required should not be affected. XStream 1.4.18 no longer uses a blacklist by default since it cannot be secured for general purposes.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHDM 7.12.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-39141"
},
{
"category": "external",
"summary": "RHBZ#1997769",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1997769"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-39141",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-39141"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-39141",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39141"
},
{
"category": "external",
"summary": "https://github.com/x-stream/xstream/security/advisories/GHSA-g5w6-mrj7-75h2",
"url": "https://github.com/x-stream/xstream/security/advisories/GHSA-g5w6-mrj7-75h2"
}
],
"release_date": "2021-08-22T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-01-26T16:33:21+00:00",
"details": "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"RHDM 7.12.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:0297"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"RHDM 7.12.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "xstream: Arbitrary code execution via unsafe deserialization of com.sun.xml.internal.ws.client.sei.*"
},
{
"cve": "CVE-2021-39144",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2021-08-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1997772"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in xstream, a simple library used to serialize objects to XML and back again. This flaw allows a remote attacker to load and execute arbitrary code from a remote host by manipulating the processed input stream.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "xstream: Arbitrary code execution via unsafe deserialization of sun.tracing.*",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Users who follow the recommended security framework with a whitelist to limit the types to the minimum required should not be affected. XStream 1.4.18 no longer uses a blacklist by default since it cannot be secured for general purposes.\n\nOpenShift Container Platform (OCP) delivers Jenkins LTS package with bundled XStream library. Due to JEP-200 [1] and JEP-228 [2] Jenkins projects, OCP Jenkins package is not affected by this flaw.\nThis version of XStream library will be delivered in future Jenkins releases.\n\n[1] https://github.com/jenkinsci/jep/blob/master/jep/200/README.adoc\n[2] https://github.com/jenkinsci/jep/blob/master/jep/228/README.adoc#security\n\nFor more information, please refer to the [Red Hat solution Article](https://access.redhat.com/solutions/7002450) explaining this issue.\n\nOpenShift Logging\u0027s Elasticsearch 6.8.1 using opendistro_security v0.10.1.2 is not affected by the vulnerable code because com.thoughtworks.xstream is only a build-time dependency.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHDM 7.12.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-39144"
},
{
"category": "external",
"summary": "RHBZ#1997772",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1997772"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-39144",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-39144"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-39144",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39144"
},
{
"category": "external",
"summary": "https://github.com/x-stream/xstream/security/advisories/GHSA-j9h8-phrw-h4fh",
"url": "https://github.com/x-stream/xstream/security/advisories/GHSA-j9h8-phrw-h4fh"
},
{
"category": "external",
"summary": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
}
],
"release_date": "2021-08-22T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-01-26T16:33:21+00:00",
"details": "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"RHDM 7.12.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:0297"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"RHDM 7.12.0"
]
}
],
"threats": [
{
"category": "exploit_status",
"date": "2023-03-10T00:00:00+00:00",
"details": "CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
},
{
"category": "impact",
"details": "Low"
}
],
"title": "xstream: Arbitrary code execution via unsafe deserialization of sun.tracing.*"
},
{
"cve": "CVE-2021-39145",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2021-08-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1997775"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in xstream, a simple library used to serialize objects to XML and back again. This flaw allows a remote attacker to load and execute arbitrary code from a remote host by manipulating the processed input stream. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "xstream: Arbitrary code execution via unsafe deserialization of com.sun.jndi.ldap.LdapBindingEnumeration",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Users who follow the recommended security framework with a whitelist to limit the types to the minimum required should not be affected. XStream 1.4.18 no longer uses a blacklist by default since it cannot be secured for general purposes.\n\nOpenShift Container Platform (OCP) delivers the Jenkins LTS package with bundled XStream library. Due to JEP-200 [1] and JEP-228 [2] Jenkins projects, the OCP Jenkins package is not affected by this flaw.\nThis version of the XStream library will be delivered in future Jenkins releases.\n\n[1] https://github.com/jenkinsci/jep/blob/master/jep/200/README.adoc\n[2] https://github.com/jenkinsci/jep/blob/master/jep/228/README.adoc#security",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHDM 7.12.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-39145"
},
{
"category": "external",
"summary": "RHBZ#1997775",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1997775"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-39145",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-39145"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-39145",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39145"
},
{
"category": "external",
"summary": "https://github.com/x-stream/xstream/security/advisories/GHSA-8jrj-525p-826v",
"url": "https://github.com/x-stream/xstream/security/advisories/GHSA-8jrj-525p-826v"
}
],
"release_date": "2021-08-22T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-01-26T16:33:21+00:00",
"details": "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"RHDM 7.12.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:0297"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"RHDM 7.12.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "xstream: Arbitrary code execution via unsafe deserialization of com.sun.jndi.ldap.LdapBindingEnumeration"
},
{
"cve": "CVE-2021-39146",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2021-08-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1997777"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in xstream, a simple library used to serialize objects to XML and back again. This flaw allows a remote attacker to load and execute arbitrary code from a remote host by manipulating the processed input stream. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "xstream: Arbitrary code execution via unsafe deserialization of javax.swing.UIDefaults$ProxyLazyValue",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Users who follow the recommended security framework with a whitelist to limit the types to the minimum required should not be affected. XStream 1.4.18 no longer uses a blacklist by default since it cannot be secured for general purposes.\n\nOpenShift Container Platform (OCP) delivers the Jenkins LTS package with bundled XStream library. Due to JEP-200 [1] and JEP-228 [2] Jenkins projects, the OCP Jenkins package is not affected by this flaw.\nThis version of the XStream library will be delivered in future Jenkins releases.\n\n[1] https://github.com/jenkinsci/jep/blob/master/jep/200/README.adoc\n[2] https://github.com/jenkinsci/jep/blob/master/jep/228/README.adoc#security",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHDM 7.12.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-39146"
},
{
"category": "external",
"summary": "RHBZ#1997777",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1997777"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-39146",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-39146"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-39146",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39146"
},
{
"category": "external",
"summary": "https://github.com/x-stream/xstream/security/advisories/GHSA-p8pq-r894-fm8f",
"url": "https://github.com/x-stream/xstream/security/advisories/GHSA-p8pq-r894-fm8f"
}
],
"release_date": "2021-08-22T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-01-26T16:33:21+00:00",
"details": "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"RHDM 7.12.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:0297"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"RHDM 7.12.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "xstream: Arbitrary code execution via unsafe deserialization of javax.swing.UIDefaults$ProxyLazyValue"
},
{
"cve": "CVE-2021-39147",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2021-08-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1997779"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in xstream, a simple library used to serialize objects to XML and back again. This flaw allows a remote attacker to load and execute arbitrary code from a remote host by manipulating the processed input stream. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "xstream: Arbitrary code execution via unsafe deserialization of com.sun.jndi.ldap.LdapSearchEnumeration",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Users who follow the recommended security framework with a whitelist to limit the types to the minimum required should not be affected. XStream 1.4.18 no longer uses a blacklist by default since it cannot be secured for general purposes.\n\nOpenShift Container Platform (OCP) delivers the Jenkins LTS package with bundled XStream library. Due to JEP-200 [1] and JEP-228 [2] Jenkins projects, the OCP Jenkins package is not affected by this flaw.\nThis version of the XStream library will be delivered in future Jenkins releases.\n\n[1] https://github.com/jenkinsci/jep/blob/master/jep/200/README.adoc\n[2] https://github.com/jenkinsci/jep/blob/master/jep/228/README.adoc#security",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHDM 7.12.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-39147"
},
{
"category": "external",
"summary": "RHBZ#1997779",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1997779"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-39147",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-39147"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-39147",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39147"
},
{
"category": "external",
"summary": "https://github.com/x-stream/xstream/security/advisories/GHSA-h7v4-7xg3-hxcc",
"url": "https://github.com/x-stream/xstream/security/advisories/GHSA-h7v4-7xg3-hxcc"
}
],
"release_date": "2021-08-22T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-01-26T16:33:21+00:00",
"details": "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"RHDM 7.12.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:0297"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"RHDM 7.12.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "xstream: Arbitrary code execution via unsafe deserialization of com.sun.jndi.ldap.LdapSearchEnumeration"
},
{
"cve": "CVE-2021-39148",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2021-08-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1997781"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in xstream, a simple library used to serialize objects to XML and back again. This flaw allows a remote attacker to load and execute arbitrary code from a remote host by manipulating the processed input stream. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "xstream: Arbitrary code execution via unsafe deserialization of com.sun.jndi.toolkit.dir.ContextEnumerator",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Users who follow the recommended security framework with a whitelist to limit the types to the minimum required should not be affected. XStream 1.4.18 no longer uses a blacklist by default since it cannot be secured for general purposes.\n\nOpenShift Container Platform (OCP) delivers the Jenkins LTS package with bundled XStream library. Due to JEP-200 [1] and JEP-228 [2] Jenkins projects, the OCP Jenkins package is not affected by this flaw.\nThis version of the XStream library will be delivered in future Jenkins releases.\n\n[1] https://github.com/jenkinsci/jep/blob/master/jep/200/README.adoc\n[2] https://github.com/jenkinsci/jep/blob/master/jep/228/README.adoc#security",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHDM 7.12.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-39148"
},
{
"category": "external",
"summary": "RHBZ#1997781",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1997781"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-39148",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-39148"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-39148",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39148"
},
{
"category": "external",
"summary": "https://github.com/x-stream/xstream/security/advisories/GHSA-qrx8-8545-4wg2",
"url": "https://github.com/x-stream/xstream/security/advisories/GHSA-qrx8-8545-4wg2"
}
],
"release_date": "2021-08-22T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-01-26T16:33:21+00:00",
"details": "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"RHDM 7.12.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:0297"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"RHDM 7.12.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "xstream: Arbitrary code execution via unsafe deserialization of com.sun.jndi.toolkit.dir.ContextEnumerator"
},
{
"cve": "CVE-2021-39149",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2021-08-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1997784"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in xstream, a simple library used to serialize objects to XML and back again. This flaw allows a remote attacker to load and execute arbitrary code from a remote host by manipulating the processed input stream. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "xstream: Arbitrary code execution via unsafe deserialization of com.sun.corba.*",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Users who follow the recommended security framework with a whitelist to limit the types to the minimum required should not be affected. XStream 1.4.18 no longer uses a blacklist by default since it cannot be secured for general purposes.\n\nOpenShift Container Platform (OCP) delivers the Jenkins LTS package with bundled XStream library. Due to JEP-200 [1] and JEP-228 [2] Jenkins projects, the OCP Jenkins package is not affected by this flaw.\nThis version of the XStream library will be delivered in future Jenkins releases.\n\n[1] https://github.com/jenkinsci/jep/blob/master/jep/200/README.adoc\n[2] https://github.com/jenkinsci/jep/blob/master/jep/228/README.adoc#security",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHDM 7.12.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-39149"
},
{
"category": "external",
"summary": "RHBZ#1997784",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1997784"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-39149",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-39149"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-39149",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39149"
},
{
"category": "external",
"summary": "https://github.com/x-stream/xstream/security/advisories/GHSA-3ccq-5vw3-2p6x",
"url": "https://github.com/x-stream/xstream/security/advisories/GHSA-3ccq-5vw3-2p6x"
}
],
"release_date": "2021-08-22T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-01-26T16:33:21+00:00",
"details": "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"RHDM 7.12.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:0297"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"RHDM 7.12.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "xstream: Arbitrary code execution via unsafe deserialization of com.sun.corba.*"
},
{
"cve": "CVE-2021-39150",
"cwe": {
"id": "CWE-918",
"name": "Server-Side Request Forgery (SSRF)"
},
"discovery_date": "2021-08-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1997786"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in xstream, a simple library used to serialize objects to XML and back again. This flaw allows a remote attacker to request data from internal resources that are not publicly available by manipulating the processed input stream with Java runtime versions 14 to 8. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "xstream: Server-side request forgery (SSRF) via unsafe deserialization of com.sun.xml.internal.ws.client.sei.*",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Users who follow the recommended security framework with a whitelist to limit the types to the minimum required should not be affected. If you rely on XStream\u0027s default blacklist of the [Security Framework](https://x-stream.github.io/security.html#framework), you will have to use at least version 1.4.18.\n\nOpenShift Container Platform (OCP) delivers the Jenkins LTS package with bundled XStream library. Due to JEP-200 [1] and JEP-228 [2] Jenkins projects, the OCP Jenkins package is not affected by this flaw.\nThis version of the XStream library will be delivered in future Jenkins releases.\n\n[1] https://github.com/jenkinsci/jep/blob/master/jep/200/README.adoc\n[2] https://github.com/jenkinsci/jep/blob/master/jep/228/README.adoc#security",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHDM 7.12.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-39150"
},
{
"category": "external",
"summary": "RHBZ#1997786",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1997786"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-39150",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-39150"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-39150",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39150"
},
{
"category": "external",
"summary": "https://github.com/x-stream/xstream/security/advisories/GHSA-cxfm-5m4g-x7xp",
"url": "https://github.com/x-stream/xstream/security/advisories/GHSA-cxfm-5m4g-x7xp"
}
],
"release_date": "2021-08-22T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-01-26T16:33:21+00:00",
"details": "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"RHDM 7.12.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:0297"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"RHDM 7.12.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "xstream: Server-side request forgery (SSRF) via unsafe deserialization of com.sun.xml.internal.ws.client.sei.*"
},
{
"cve": "CVE-2021-39151",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2021-08-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1997791"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in xstream, a simple library used to serialize objects to XML and back again. This flaw allows a remote attacker to load and execute arbitrary code from a remote host by manipulating the processed input stream. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "xstream: Arbitrary code execution via unsafe deserialization of com.sun.jndi.ldap.LdapBindingEnumeration",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Users who follow the recommended security framework with a whitelist to limit the types to the minimum required should not be affected. XStream 1.4.18 no longer uses a blacklist by default since it cannot be secured for general purposes.\n\nOpenShift Container Platform (OCP) delivers the Jenkins LTS package with bundled XStream library. Due to JEP-200 [1] and JEP-228 [2] Jenkins projects, the OCP Jenkins package is not affected by this flaw.\n\nThis version of the XStream library will be delivered in future Jenkins releases.\n\n[1] https://github.com/jenkinsci/jep/blob/master/jep/200/README.adoc\n[2] https://github.com/jenkinsci/jep/blob/master/jep/228/README.adoc#security",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHDM 7.12.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-39151"
},
{
"category": "external",
"summary": "RHBZ#1997791",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1997791"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-39151",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-39151"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-39151",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39151"
},
{
"category": "external",
"summary": "https://github.com/x-stream/xstream/security/advisories/GHSA-hph2-m3g5-xxv4",
"url": "https://github.com/x-stream/xstream/security/advisories/GHSA-hph2-m3g5-xxv4"
}
],
"release_date": "2021-08-22T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-01-26T16:33:21+00:00",
"details": "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"RHDM 7.12.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:0297"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"RHDM 7.12.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "xstream: Arbitrary code execution via unsafe deserialization of com.sun.jndi.ldap.LdapBindingEnumeration"
},
{
"cve": "CVE-2021-39152",
"cwe": {
"id": "CWE-918",
"name": "Server-Side Request Forgery (SSRF)"
},
"discovery_date": "2021-08-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1997793"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in xstream, a simple library used to serialize objects to XML and back again. This flaw allows a remote attacker to request data from internal resources that are not publicly available by manipulating the processed input stream with Java runtime versions 14 to 8. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "xstream: Server-side request forgery (SSRF) via unsafe deserialization of jdk.nashorn.internal.runtime.Source$URLData",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Users who follow the recommended security framework with a whitelist to limit the types to the minimum required should not be affected. If you rely on XStream\u0027s default blacklist of the [Security Framework](https://x-stream.github.io/security.html#framework), you will have to use at least version 1.4.18.\n\nOpenShift Container Platform (OCP) delivers the Jenkins LTS package with bundled XStream library. Due to JEP-200 [1] and JEP-228 [2] Jenkins projects, the OCP Jenkins package is not affected by this flaw.\n\nThis version of the XStream library will be delivered in future Jenkins releases.\n\n[1] https://github.com/jenkinsci/jep/blob/master/jep/200/README.adoc\n[2] https://github.com/jenkinsci/jep/blob/master/jep/228/README.adoc#security",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHDM 7.12.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-39152"
},
{
"category": "external",
"summary": "RHBZ#1997793",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1997793"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-39152",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-39152"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-39152",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39152"
},
{
"category": "external",
"summary": "https://github.com/x-stream/xstream/security/advisories/GHSA-xw4p-crpj-vjx2",
"url": "https://github.com/x-stream/xstream/security/advisories/GHSA-xw4p-crpj-vjx2"
}
],
"release_date": "2021-08-22T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-01-26T16:33:21+00:00",
"details": "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"RHDM 7.12.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:0297"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"RHDM 7.12.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "xstream: Server-side request forgery (SSRF) via unsafe deserialization of jdk.nashorn.internal.runtime.Source$URLData"
},
{
"cve": "CVE-2021-39153",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2021-08-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1997795"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in xstream, a simple library used to serialize objects to XML and back again. This flaw allows a remote attacker to load and execute arbitrary code from a remote host by manipulating the processed input stream. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "xstream: Arbitrary code execution via unsafe deserialization of Xalan xsltc.trax.TemplatesImpl",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Users who follow the recommended security framework with a whitelist to limit the types to the minimum required should not be affected. XStream 1.4.18 no longer uses a blacklist by default since it cannot be secured for general purposes.\n\nOpenShift Container Platform (OCP) delivers the Jenkins LTS package with bundled XStream library. Due to JEP-200 [1] and JEP-228 [2] Jenkins projects, the OCP Jenkins package is not affected by this flaw.\nThis version of the XStream library will be delivered in future Jenkins releases.\n\n[1] https://github.com/jenkinsci/jep/blob/master/jep/200/README.adoc\n[2] https://github.com/jenkinsci/jep/blob/master/jep/228/README.adoc#security",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHDM 7.12.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-39153"
},
{
"category": "external",
"summary": "RHBZ#1997795",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1997795"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-39153",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-39153"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-39153",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39153"
},
{
"category": "external",
"summary": "https://github.com/x-stream/xstream/security/advisories/GHSA-2q8x-2p7f-574v",
"url": "https://github.com/x-stream/xstream/security/advisories/GHSA-2q8x-2p7f-574v"
}
],
"release_date": "2021-08-22T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-01-26T16:33:21+00:00",
"details": "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"RHDM 7.12.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:0297"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"RHDM 7.12.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "xstream: Arbitrary code execution via unsafe deserialization of Xalan xsltc.trax.TemplatesImpl"
},
{
"cve": "CVE-2021-39154",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2021-08-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1997801"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in xstream, a simple library used to serialize objects to XML and back again. This flaw allows a remote attacker to load and execute arbitrary code from a remote host by manipulating the processed input stream. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "xstream: Arbitrary code execution via unsafe deserialization of javax.swing.UIDefaults$ProxyLazyValue",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Users who follow the recommended security framework with a whitelist to limit the types to the minimum required should not be affected. XStream 1.4.18 no longer uses a blacklist by default since it cannot be secured for general purposes.\n\nOpenShift Container Platform (OCP) delivers the Jenkins LTS package with bundled XStream library. Due to JEP-200 [1] and JEP-228 [2] Jenkins projects, the OCP Jenkins package is not affected by this flaw.\nThis version of the XStream library will be delivered in future Jenkins releases.\n\n[1] https://github.com/jenkinsci/jep/blob/master/jep/200/README.adoc\n[2] https://github.com/jenkinsci/jep/blob/master/jep/228/README.adoc#security",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHDM 7.12.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-39154"
},
{
"category": "external",
"summary": "RHBZ#1997801",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1997801"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-39154",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-39154"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-39154",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39154"
},
{
"category": "external",
"summary": "https://github.com/x-stream/xstream/security/advisories/GHSA-6w62-hx7r-mw68",
"url": "https://github.com/x-stream/xstream/security/advisories/GHSA-6w62-hx7r-mw68"
}
],
"release_date": "2021-08-22T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-01-26T16:33:21+00:00",
"details": "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"RHDM 7.12.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:0297"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"RHDM 7.12.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "xstream: Arbitrary code execution via unsafe deserialization of javax.swing.UIDefaults$ProxyLazyValue"
}
]
}
RHSA-2022:0520
Vulnerability from csaf_redhat - Published: 2022-02-14 13:06 - Updated: 2026-05-14 22:31Summary
Red Hat Security Advisory: Red Hat Data Grid 8.3.0 security update
Severity
Moderate
Notes
Topic: An update for Red Hat Data Grid is now available.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Red Hat Data Grid is an in-memory, distributed, NoSQL datastore solution. It increases application response times and allows for dramatically improving performance while providing availability, reliability, and elastic scale.
Data Grid 8.3.0 replaces Data Grid 8.2.3 and includes bug fixes and enhancements. Find out more about Data Grid 8.3.0 in the Release Notes[3].
Security Fix(es):
* XStream: remote command execution attack by manipulating the processed input stream (CVE-2021-29505)
* xstream: Arbitrary code execution via unsafe deserialization of Xalan xsltc.trax.TemplatesImpl (CVE-2021-39139)
* xstream: Arbitrary code execution via unsafe deserialization of com.sun.xml.internal.ws.client.sei.* (CVE-2021-39141)
* xstream: Arbitrary code execution via unsafe deserialization of sun.tracing.* (CVE-2021-39144)
* xstream: Arbitrary code execution via unsafe deserialization of com.sun.jndi.ldap.LdapBindingEnumeration (CVE-2021-39145)
* xstream: Arbitrary code execution via unsafe deserialization of javax.swing.UIDefaults$ProxyLazyValue (CVE-2021-39146)
* xstream: Arbitrary code execution via unsafe deserialization of com.sun.jndi.ldap.LdapSearchEnumeration (CVE-2021-39147)
* xstream: Arbitrary code execution via unsafe deserialization of com.sun.jndi.toolkit.dir.ContextEnumerator (CVE-2021-39148)
* xstream: Arbitrary code execution via unsafe deserialization of com.sun.corba.* (CVE-2021-39149)
* xstream: Server-side request forgery (SSRF) via unsafe deserialization of com.sun.xml.internal.ws.client.sei.* (CVE-2021-39150)
* xstream: Arbitrary code execution via unsafe deserialization of com.sun.jndi.ldap.LdapBindingEnumeration (CVE-2021-39151)
* xstream: Server-side request forgery (SSRF) via unsafe deserialization of jdk.nashorn.internal.runtime.Source$URLData (CVE-2021-39152)
* xstream: Arbitrary code execution via unsafe deserialization of Xalan xsltc.trax.TemplatesImpl (CVE-2021-39153)
* xstream: Arbitrary code execution via unsafe deserialization of javax.swing.UIDefaults$ProxyLazyValue (CVE-2021-39154)
* wildfly-elytron: possible timing attack in ScramServer (CVE-2021-3642)
* netty-codec: Bzip2Decoder doesn't allow setting size restrictions for decompressed data (CVE-2021-37136)
* netty-codec: SnappyFrameDecoder doesn't restrict chunk length and may buffer skippable chunks in an unnecessary way (CVE-2021-37137)
* xstream: Infinite loop DoS via unsafe deserialization of sun.reflect.annotation.AnnotationInvocationHandler (CVE-2021-39140)
* netty: control chars in header names may lead to HTTP request smuggling (CVE-2021-43797)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in Wildfly Elytron where ScramServer may be susceptible to Timing Attack if enabled. The highest threat of this vulnerability is confidentiality.
CWE-203 - Observable DiscrepancyAffected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Data Grid 8.3.0
Red Hat / Red Hat JBoss Data Grid
|
cpe:/a:redhat:jboss_data_grid:8
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in XStream. By manipulating the processed input stream, a remote attacker may be able to obtain sufficient rights to execute commands. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Data Grid 8.3.0
Red Hat / Red Hat JBoss Data Grid
|
cpe:/a:redhat:jboss_data_grid:8
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Low
A flaw was found in Netty's netty-codec due to size restrictions for decompressed data in the Bzip2Decoder. By sending a specially-crafted input, a remote attacker could cause a denial of service.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Data Grid 8.3.0
Red Hat / Red Hat JBoss Data Grid
|
cpe:/a:redhat:jboss_data_grid:8
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in the Netty's netty-codec due to unrestricted chunk lengths in the SnappyFrameDecoder. By sending a specially-crafted input, a remote attacker could cause excessive memory usage resulting in a denial of service.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Data Grid 8.3.0
Red Hat / Red Hat JBoss Data Grid
|
cpe:/a:redhat:jboss_data_grid:8
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in xstream, a simple library used to serialize objects to XML and back again. This flaw allows a remote attacker to load and execute arbitrary code from a remote host by manipulating the processed input stream. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
8.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Data Grid 8.3.0
Red Hat / Red Hat JBoss Data Grid
|
cpe:/a:redhat:jboss_data_grid:8
|
— |
Vendor Fix
fix
|
Threats
Impact
Low
XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.
6.5 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Data Grid 8.3.0
Red Hat / Red Hat JBoss Data Grid
|
cpe:/a:redhat:jboss_data_grid:8
|
— |
Vendor Fix
fix
|
Threats
Impact
Low
A flaw was found in xstream, a simple library used to serialize objects to XML and back again. This flaw allows a remote attacker to load and execute arbitrary code from a remote host by manipulating the processed input stream. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
8.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Data Grid 8.3.0
Red Hat / Red Hat JBoss Data Grid
|
cpe:/a:redhat:jboss_data_grid:8
|
— |
Vendor Fix
fix
|
Threats
Impact
Low
A flaw was found in xstream, a simple library used to serialize objects to XML and back again. This flaw allows a remote attacker to load and execute arbitrary code from a remote host by manipulating the processed input stream.
8.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Data Grid 8.3.0
Red Hat / Red Hat JBoss Data Grid
|
cpe:/a:redhat:jboss_data_grid:8
|
— |
Vendor Fix
fix
|
Threats
Exploit Status
CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
Impact
Low
A flaw was found in xstream, a simple library used to serialize objects to XML and back again. This flaw allows a remote attacker to load and execute arbitrary code from a remote host by manipulating the processed input stream. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
8.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Data Grid 8.3.0
Red Hat / Red Hat JBoss Data Grid
|
cpe:/a:redhat:jboss_data_grid:8
|
— |
Vendor Fix
fix
|
Threats
Impact
Low
A flaw was found in xstream, a simple library used to serialize objects to XML and back again. This flaw allows a remote attacker to load and execute arbitrary code from a remote host by manipulating the processed input stream. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
8.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Data Grid 8.3.0
Red Hat / Red Hat JBoss Data Grid
|
cpe:/a:redhat:jboss_data_grid:8
|
— |
Vendor Fix
fix
|
Threats
Impact
Low
A flaw was found in xstream, a simple library used to serialize objects to XML and back again. This flaw allows a remote attacker to load and execute arbitrary code from a remote host by manipulating the processed input stream. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
8.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Data Grid 8.3.0
Red Hat / Red Hat JBoss Data Grid
|
cpe:/a:redhat:jboss_data_grid:8
|
— |
Vendor Fix
fix
|
Threats
Impact
Low
A flaw was found in xstream, a simple library used to serialize objects to XML and back again. This flaw allows a remote attacker to load and execute arbitrary code from a remote host by manipulating the processed input stream. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
8.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Data Grid 8.3.0
Red Hat / Red Hat JBoss Data Grid
|
cpe:/a:redhat:jboss_data_grid:8
|
— |
Vendor Fix
fix
|
Threats
Impact
Low
A flaw was found in xstream, a simple library used to serialize objects to XML and back again. This flaw allows a remote attacker to load and execute arbitrary code from a remote host by manipulating the processed input stream. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
8.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Data Grid 8.3.0
Red Hat / Red Hat JBoss Data Grid
|
cpe:/a:redhat:jboss_data_grid:8
|
— |
Vendor Fix
fix
|
Threats
Impact
Low
A flaw was found in xstream, a simple library used to serialize objects to XML and back again. This flaw allows a remote attacker to request data from internal resources that are not publicly available by manipulating the processed input stream with Java runtime versions 14 to 8. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
8.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Data Grid 8.3.0
Red Hat / Red Hat JBoss Data Grid
|
cpe:/a:redhat:jboss_data_grid:8
|
— |
Vendor Fix
fix
|
Threats
Impact
Low
A flaw was found in xstream, a simple library used to serialize objects to XML and back again. This flaw allows a remote attacker to load and execute arbitrary code from a remote host by manipulating the processed input stream. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
8.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Data Grid 8.3.0
Red Hat / Red Hat JBoss Data Grid
|
cpe:/a:redhat:jboss_data_grid:8
|
— |
Vendor Fix
fix
|
Threats
Impact
Low
A flaw was found in xstream, a simple library used to serialize objects to XML and back again. This flaw allows a remote attacker to request data from internal resources that are not publicly available by manipulating the processed input stream with Java runtime versions 14 to 8. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
8.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Data Grid 8.3.0
Red Hat / Red Hat JBoss Data Grid
|
cpe:/a:redhat:jboss_data_grid:8
|
— |
Vendor Fix
fix
|
Threats
Impact
Low
A flaw was found in xstream, a simple library used to serialize objects to XML and back again. This flaw allows a remote attacker to load and execute arbitrary code from a remote host by manipulating the processed input stream. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
8.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Data Grid 8.3.0
Red Hat / Red Hat JBoss Data Grid
|
cpe:/a:redhat:jboss_data_grid:8
|
— |
Vendor Fix
fix
|
Threats
Impact
Low
A flaw was found in xstream, a simple library used to serialize objects to XML and back again. This flaw allows a remote attacker to load and execute arbitrary code from a remote host by manipulating the processed input stream. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
8.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Data Grid 8.3.0
Red Hat / Red Hat JBoss Data Grid
|
cpe:/a:redhat:jboss_data_grid:8
|
— |
Vendor Fix
fix
|
Threats
Impact
Low
A flaw was found in Netty, specifically in the netty-codec-http package. This flaw allows unauthorized control characters at the beginning and end of a request, does not follow the specification, and can cause HTTP request smuggling.
6.5 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Data Grid 8.3.0
Red Hat / Red Hat JBoss Data Grid
|
cpe:/a:redhat:jboss_data_grid:8
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
References
119 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for Red Hat Data Grid is now available.\n \nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat Data Grid is an in-memory, distributed, NoSQL datastore solution. It increases application response times and allows for dramatically improving performance while providing availability, reliability, and elastic scale.\n \nData Grid 8.3.0 replaces Data Grid 8.2.3 and includes bug fixes and enhancements. Find out more about Data Grid 8.3.0 in the Release Notes[3].\n\nSecurity Fix(es):\n\n* XStream: remote command execution attack by manipulating the processed input stream (CVE-2021-29505)\n\n* xstream: Arbitrary code execution via unsafe deserialization of Xalan xsltc.trax.TemplatesImpl (CVE-2021-39139)\n\n* xstream: Arbitrary code execution via unsafe deserialization of com.sun.xml.internal.ws.client.sei.* (CVE-2021-39141)\n\n* xstream: Arbitrary code execution via unsafe deserialization of sun.tracing.* (CVE-2021-39144)\n\n* xstream: Arbitrary code execution via unsafe deserialization of com.sun.jndi.ldap.LdapBindingEnumeration (CVE-2021-39145)\n\n* xstream: Arbitrary code execution via unsafe deserialization of javax.swing.UIDefaults$ProxyLazyValue (CVE-2021-39146)\n\n* xstream: Arbitrary code execution via unsafe deserialization of com.sun.jndi.ldap.LdapSearchEnumeration (CVE-2021-39147)\n\n* xstream: Arbitrary code execution via unsafe deserialization of com.sun.jndi.toolkit.dir.ContextEnumerator (CVE-2021-39148)\n\n* xstream: Arbitrary code execution via unsafe deserialization of com.sun.corba.* (CVE-2021-39149)\n\n* xstream: Server-side request forgery (SSRF) via unsafe deserialization of com.sun.xml.internal.ws.client.sei.* (CVE-2021-39150)\n\n* xstream: Arbitrary code execution via unsafe deserialization of com.sun.jndi.ldap.LdapBindingEnumeration (CVE-2021-39151)\n\n* xstream: Server-side request forgery (SSRF) via unsafe deserialization of jdk.nashorn.internal.runtime.Source$URLData (CVE-2021-39152)\n\n* xstream: Arbitrary code execution via unsafe deserialization of Xalan xsltc.trax.TemplatesImpl (CVE-2021-39153)\n\n* xstream: Arbitrary code execution via unsafe deserialization of javax.swing.UIDefaults$ProxyLazyValue (CVE-2021-39154)\n\n* wildfly-elytron: possible timing attack in ScramServer (CVE-2021-3642)\n\n* netty-codec: Bzip2Decoder doesn\u0027t allow setting size restrictions for decompressed data (CVE-2021-37136)\n\n* netty-codec: SnappyFrameDecoder doesn\u0027t restrict chunk length and may buffer skippable chunks in an unnecessary way (CVE-2021-37137)\n\n* xstream: Infinite loop DoS via unsafe deserialization of sun.reflect.annotation.AnnotationInvocationHandler (CVE-2021-39140)\n\n* netty: control chars in header names may lead to HTTP request smuggling (CVE-2021-43797)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2022:0520",
"url": "https://access.redhat.com/errata/RHSA-2022:0520"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions\u0026product=data.grid\u0026version=8.3",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions\u0026product=data.grid\u0026version=8.3"
},
{
"category": "external",
"summary": "https://access.redhat.com/documentation/en-us/red_hat_data_grid/8.3/html-single/red_hat_data_grid_8.3_release_notes/",
"url": "https://access.redhat.com/documentation/en-us/red_hat_data_grid/8.3/html-single/red_hat_data_grid_8.3_release_notes/"
},
{
"category": "external",
"summary": "1966735",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1966735"
},
{
"category": "external",
"summary": "1981407",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1981407"
},
{
"category": "external",
"summary": "1997763",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1997763"
},
{
"category": "external",
"summary": "1997765",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1997765"
},
{
"category": "external",
"summary": "1997769",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1997769"
},
{
"category": "external",
"summary": "1997772",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1997772"
},
{
"category": "external",
"summary": "1997775",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1997775"
},
{
"category": "external",
"summary": "1997777",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1997777"
},
{
"category": "external",
"summary": "1997779",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1997779"
},
{
"category": "external",
"summary": "1997781",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1997781"
},
{
"category": "external",
"summary": "1997784",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1997784"
},
{
"category": "external",
"summary": "1997786",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1997786"
},
{
"category": "external",
"summary": "1997791",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1997791"
},
{
"category": "external",
"summary": "1997793",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1997793"
},
{
"category": "external",
"summary": "1997795",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1997795"
},
{
"category": "external",
"summary": "1997801",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1997801"
},
{
"category": "external",
"summary": "2004133",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2004133"
},
{
"category": "external",
"summary": "2004135",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2004135"
},
{
"category": "external",
"summary": "2031958",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031958"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_0520.json"
}
],
"title": "Red Hat Security Advisory: Red Hat Data Grid 8.3.0 security update",
"tracking": {
"current_release_date": "2026-05-14T22:31:42+00:00",
"generator": {
"date": "2026-05-14T22:31:42+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.8.0"
}
},
"id": "RHSA-2022:0520",
"initial_release_date": "2022-02-14T13:06:09+00:00",
"revision_history": [
{
"date": "2022-02-14T13:06:09+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2022-02-14T13:06:09+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-05-14T22:31:42+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Data Grid 8.3.0",
"product": {
"name": "Red Hat Data Grid 8.3.0",
"product_id": "Red Hat Data Grid 8.3.0",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_data_grid:8"
}
}
}
],
"category": "product_family",
"name": "Red Hat JBoss Data Grid"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2021-3642",
"cwe": {
"id": "CWE-203",
"name": "Observable Discrepancy"
},
"discovery_date": "2021-06-30T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1981407"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Wildfly Elytron where ScramServer may be susceptible to Timing Attack if enabled. The highest threat of this vulnerability is confidentiality.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "wildfly-elytron: possible timing attack in ScramServer",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Data Grid 8.3.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-3642"
},
{
"category": "external",
"summary": "RHBZ#1981407",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1981407"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-3642",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-3642"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-3642",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3642"
}
],
"release_date": "2021-06-30T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-02-14T13:06:09+00:00",
"details": "To install this update, do the following:\n \n1. Download the Data Grid 8.3.0 Server patch from the customer portal[\u00b2].\n2. Back up your existing Data Grid installation. You should back up databases, configuration files, and so on.\n3. Install the Data Grid 8.3.0 Server patch.\n4. Restart Data Grid to ensure the changes take effect.\n\nFor more information about Data Grid 8.3.0, refer to the 8.3.0 Release Notes[\u00b3]",
"product_ids": [
"Red Hat Data Grid 8.3.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:0520"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"Red Hat Data Grid 8.3.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "wildfly-elytron: possible timing attack in ScramServer"
},
{
"cve": "CVE-2021-29505",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2021-05-28T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1966735"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in XStream. By manipulating the processed input stream, a remote attacker may be able to obtain sufficient rights to execute commands. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "XStream: remote command execution attack by manipulating the processed input stream",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "OpenShift Container Platform (OCP) delivers Jenkins LTS package with bundled XStream library. Due to JEP-200 [1] and JEP-228 [2] Jenkins projects, OCP Jenkins package is not affected by this flaw.\n\nCodeReady Studio 12 ships a version of xstream that is affected by this flaw as a transitive dependency for the Wise framework plugin. However, the vulnerable code is not called, so this flaw has been marked as Low severity for CodeReady Studio 12.\n\n[1] https://github.com/jenkinsci/jep/blob/master/jep/200/README.adoc\n[2] https://github.com/jenkinsci/jep/blob/master/jep/228/README.adoc#security",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Data Grid 8.3.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-29505"
},
{
"category": "external",
"summary": "RHBZ#1966735",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1966735"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-29505",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-29505"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-29505",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29505"
},
{
"category": "external",
"summary": "https://github.com/x-stream/xstream/security/advisories/GHSA-7chv-rrw6-w6fc",
"url": "https://github.com/x-stream/xstream/security/advisories/GHSA-7chv-rrw6-w6fc"
},
{
"category": "external",
"summary": "https://x-stream.github.io/CVE-2021-29505.html",
"url": "https://x-stream.github.io/CVE-2021-29505.html"
}
],
"release_date": "2021-05-14T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-02-14T13:06:09+00:00",
"details": "To install this update, do the following:\n \n1. Download the Data Grid 8.3.0 Server patch from the customer portal[\u00b2].\n2. Back up your existing Data Grid installation. You should back up databases, configuration files, and so on.\n3. Install the Data Grid 8.3.0 Server patch.\n4. Restart Data Grid to ensure the changes take effect.\n\nFor more information about Data Grid 8.3.0, refer to the 8.3.0 Release Notes[\u00b3]",
"product_ids": [
"Red Hat Data Grid 8.3.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:0520"
},
{
"category": "workaround",
"details": "Depending on the version of XStream used there are various usage patterns that mitigate this flaw, though we would strongly recommend using the allow list approach if at all possible as there are likely more class combinations the deny list approach may not address.\n\nAllow list approach\n```java\nXStream xstream = new XStream();\nXStream.setupDefaultSecurity(xstream);\nxstream.allowTypesByWildcard(new String[] {\"com.misc.classname\"})\n```\nDeny list for XStream 1.4.16 (this should also address some previous flaws found in 1.4.7 - \u003e 1.4.15) \n```java\nxstream.denyTypesByRegExp(new String[]{ \".*\\\\.Lazy(?:Search)?Enumeration.*\", \"(?:java|sun)\\\\.rmi\\\\..*\" });\n```\n\nDeny list for XStream 1.4.15\n```java\nxstream.denyTypes(new String[]{ \"sun.awt.datatransfer.DataTransferer$IndexOrderComparator\", \"sun.swing.SwingLazyValue\", \"com.sun.corba.se.impl.activation.ServerTableEntry\", \"com.sun.tools.javac.processing.JavacProcessingEnvironment$NameProcessIterator\" });\nxstream.denyTypesByRegExp(new String[]{ \".*\\\\$ServiceNameIterator\", \"javafx\\\\.collections\\\\.ObservableList\\\\$.*\", \".*\\\\.bcel\\\\..*\\\\.util\\\\.ClassLoader\" });\nxstream.denyTypeHierarchy(java.io.InputStream.class );\nxstream.denyTypeHierarchy(java.nio.channels.Channel.class );\nxstream.denyTypeHierarchy(javax.activation.DataSource.class );\nxstream.denyTypeHierarchy(javax.sql.rowset.BaseRowSet.class );\n```\n\nDeny list for XStream 1.4.13\n```java\nxstream.denyTypes(new String[]{ \"javax.imageio.ImageIO$ContainsFilter\" });\nxstream.denyTypes(new Class[]{ java.lang.ProcessBuilder.class });\n```\n\nDeny list for XStream 1.4.7 -\u003e 1.4.12\n```java\nxstream.denyTypes(new String[]{ \"javax.imageio.ImageIO$ContainsFilter\" });\nxstream.denyTypes(new Class[]{ java.lang.ProcessBuilder.class, java.beans.EventHandler.class, java.lang.ProcessBuilder.class, java.lang.Void.class, void.class });\n```\n\nDeny list for versions prior to XStream 1.4.7\n```java\nxstream.registerConverter(new Converter() {\n public boolean canConvert(Class type) {\n return type != null \u0026\u0026 (type == java.beans.EventHandler.class || type == java.lang.ProcessBuilder.class || type == java.lang.Void.class || void.class || type.getName().equals(\"javax.imageio.ImageIO$ContainsFilter\") || Proxy.isProxy(type));\n }\n\n public Object unmarshal(HierarchicalStreamReader reader, UnmarshallingContext context) {\n throw new ConversionException(\"Unsupported type due to security reasons.\");\n }\n\n public void marshal(Object source, HierarchicalStreamWriter writer, MarshallingContext context) {\n throw new ConversionException(\"Unsupported type due to security reasons.\");\n }\n}, XStream.PRIORITY_LOW);\n```",
"product_ids": [
"Red Hat Data Grid 8.3.0"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"Red Hat Data Grid 8.3.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "XStream: remote command execution attack by manipulating the processed input stream"
},
{
"cve": "CVE-2021-37136",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2021-09-14T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2004133"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Netty\u0027s netty-codec due to size restrictions for decompressed data in the Bzip2Decoder. By sending a specially-crafted input, a remote attacker could cause a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "netty-codec: Bzip2Decoder doesn\u0027t allow setting size restrictions for decompressed data",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "In the OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack ship the vulnerable version of netty-codec package. Since the release of OCP 4.6, the Metering product has been deprecated [1], so the affected components are marked as wontfix. This may be fixed in the future.\n\nStarting in OCP 4.7, the elasticsearch component is shipping as a part of the OpenShift Logging product (openshift-logging/elasticsearch6-rhel8). The elasticsearch component delivered in OCP 4.6 is marked as `Out of support scope` because these versions are already under Maintenance Phase of the support.\n\n[1] https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html#ocp-4-6-metering-operator-deprecated",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Data Grid 8.3.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-37136"
},
{
"category": "external",
"summary": "RHBZ#2004133",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2004133"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-37136",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-37136"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-37136",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37136"
},
{
"category": "external",
"summary": "https://github.com/netty/netty/security/advisories/GHSA-grg4-wf29-r9vv",
"url": "https://github.com/netty/netty/security/advisories/GHSA-grg4-wf29-r9vv"
}
],
"release_date": "2021-09-09T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-02-14T13:06:09+00:00",
"details": "To install this update, do the following:\n \n1. Download the Data Grid 8.3.0 Server patch from the customer portal[\u00b2].\n2. Back up your existing Data Grid installation. You should back up databases, configuration files, and so on.\n3. Install the Data Grid 8.3.0 Server patch.\n4. Restart Data Grid to ensure the changes take effect.\n\nFor more information about Data Grid 8.3.0, refer to the 8.3.0 Release Notes[\u00b3]",
"product_ids": [
"Red Hat Data Grid 8.3.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:0520"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Data Grid 8.3.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "netty-codec: Bzip2Decoder doesn\u0027t allow setting size restrictions for decompressed data"
},
{
"cve": "CVE-2021-37137",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2021-09-14T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2004135"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the Netty\u0027s netty-codec due to unrestricted chunk lengths in the SnappyFrameDecoder. By sending a specially-crafted input, a remote attacker could cause excessive memory usage resulting in a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "netty-codec: SnappyFrameDecoder doesn\u0027t restrict chunk length and may buffer skippable chunks in an unnecessary way",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "In OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of netty-codec package.\nSince the release of OCP 4.6, the Metering product has been deprecated [1], hence the affected components are marked as wontfix.\nThis may be fixed in the future.\n\nStarting in OCP 4.7, the elasticsearch component is shipping as a part of the OpenShift Logging product (openshift-logging/elasticsearch6-rhel8). The elasticsearch component delivered in OCP 4.6 is marked as `Out of support scope` because these versions are already under Maintenance Phase of the support.\n\n[1] https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html#ocp-4-6-metering-operator-deprecated",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Data Grid 8.3.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-37137"
},
{
"category": "external",
"summary": "RHBZ#2004135",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2004135"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-37137",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-37137"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-37137",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37137"
},
{
"category": "external",
"summary": "https://github.com/netty/netty/security/advisories/GHSA-grg4-wf29-r9vv",
"url": "https://github.com/netty/netty/security/advisories/GHSA-grg4-wf29-r9vv"
}
],
"release_date": "2021-09-09T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-02-14T13:06:09+00:00",
"details": "To install this update, do the following:\n \n1. Download the Data Grid 8.3.0 Server patch from the customer portal[\u00b2].\n2. Back up your existing Data Grid installation. You should back up databases, configuration files, and so on.\n3. Install the Data Grid 8.3.0 Server patch.\n4. Restart Data Grid to ensure the changes take effect.\n\nFor more information about Data Grid 8.3.0, refer to the 8.3.0 Release Notes[\u00b3]",
"product_ids": [
"Red Hat Data Grid 8.3.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:0520"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Data Grid 8.3.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "netty-codec: SnappyFrameDecoder doesn\u0027t restrict chunk length and may buffer skippable chunks in an unnecessary way"
},
{
"cve": "CVE-2021-39139",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2021-08-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1997763"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in xstream, a simple library used to serialize objects to XML and back again. This flaw allows a remote attacker to load and execute arbitrary code from a remote host by manipulating the processed input stream. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "xstream: Arbitrary code execution via unsafe deserialization of Xalan xsltc.trax.TemplatesImpl",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Users who follow the recommended security framework with a whitelist to limit the types to the minimum required should not be affected. XStream 1.4.18 no longer uses a blacklist by default since it cannot be secured for general purposes.\n\nOpenShift Container Platform (OCP) delivers Jenkins LTS package with bundled XStream library. Due to JEP-200 [1] and JEP-228 [2] Jenkins projects, the OCP Jenkins package is not affected by this flaw.\nThis version of the XStream library will be delivered in future Jenkins releases.\n\n[1] https://github.com/jenkinsci/jep/blob/master/jep/200/README.adoc\n[2] https://github.com/jenkinsci/jep/blob/master/jep/228/README.adoc#security",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Data Grid 8.3.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-39139"
},
{
"category": "external",
"summary": "RHBZ#1997763",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1997763"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-39139",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-39139"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-39139",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39139"
},
{
"category": "external",
"summary": "https://github.com/x-stream/xstream/security/advisories/GHSA-64xx-cq4q-mf44",
"url": "https://github.com/x-stream/xstream/security/advisories/GHSA-64xx-cq4q-mf44"
}
],
"release_date": "2021-08-22T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-02-14T13:06:09+00:00",
"details": "To install this update, do the following:\n \n1. Download the Data Grid 8.3.0 Server patch from the customer portal[\u00b2].\n2. Back up your existing Data Grid installation. You should back up databases, configuration files, and so on.\n3. Install the Data Grid 8.3.0 Server patch.\n4. Restart Data Grid to ensure the changes take effect.\n\nFor more information about Data Grid 8.3.0, refer to the 8.3.0 Release Notes[\u00b3]",
"product_ids": [
"Red Hat Data Grid 8.3.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:0520"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"Red Hat Data Grid 8.3.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "xstream: Arbitrary code execution via unsafe deserialization of Xalan xsltc.trax.TemplatesImpl"
},
{
"cve": "CVE-2021-39140",
"cwe": {
"id": "CWE-835",
"name": "Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027)"
},
"discovery_date": "2021-08-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1997765"
}
],
"notes": [
{
"category": "description",
"text": "XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream\u0027s security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "xstream: Infinite loop DoS via unsafe deserialization of sun.reflect.annotation.AnnotationInvocationHandler",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "OpenShift Container Platform (OCP) delivers Jenkins LTS package with bundled XStream library. Due to JEP-200 [1] and JEP-228 [2] Jenkins projects, OCP Jenkins package is not affected by this flaw.\nThis version of XStream library will be delivered in the future Jenkins releases.\n\n[1] https://github.com/jenkinsci/jep/blob/master/jep/200/README.adoc\n[2] https://github.com/jenkinsci/jep/blob/master/jep/228/README.adoc#security",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Data Grid 8.3.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-39140"
},
{
"category": "external",
"summary": "RHBZ#1997765",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1997765"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-39140",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-39140"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-39140",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39140"
},
{
"category": "external",
"summary": "https://github.com/x-stream/xstream/security/advisories/GHSA-6wf9-jmg9-vxcc",
"url": "https://github.com/x-stream/xstream/security/advisories/GHSA-6wf9-jmg9-vxcc"
}
],
"release_date": "2021-08-22T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-02-14T13:06:09+00:00",
"details": "To install this update, do the following:\n \n1. Download the Data Grid 8.3.0 Server patch from the customer portal[\u00b2].\n2. Back up your existing Data Grid installation. You should back up databases, configuration files, and so on.\n3. Install the Data Grid 8.3.0 Server patch.\n4. Restart Data Grid to ensure the changes take effect.\n\nFor more information about Data Grid 8.3.0, refer to the 8.3.0 Release Notes[\u00b3]",
"product_ids": [
"Red Hat Data Grid 8.3.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:0520"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Data Grid 8.3.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "xstream: Infinite loop DoS via unsafe deserialization of sun.reflect.annotation.AnnotationInvocationHandler"
},
{
"cve": "CVE-2021-39141",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2021-08-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1997769"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in xstream, a simple library used to serialize objects to XML and back again. This flaw allows a remote attacker to load and execute arbitrary code from a remote host by manipulating the processed input stream. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "xstream: Arbitrary code execution via unsafe deserialization of com.sun.xml.internal.ws.client.sei.*",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Users who follow the recommended security framework with a whitelist to limit the types to the minimum required should not be affected. XStream 1.4.18 no longer uses a blacklist by default since it cannot be secured for general purposes.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Data Grid 8.3.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-39141"
},
{
"category": "external",
"summary": "RHBZ#1997769",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1997769"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-39141",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-39141"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-39141",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39141"
},
{
"category": "external",
"summary": "https://github.com/x-stream/xstream/security/advisories/GHSA-g5w6-mrj7-75h2",
"url": "https://github.com/x-stream/xstream/security/advisories/GHSA-g5w6-mrj7-75h2"
}
],
"release_date": "2021-08-22T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-02-14T13:06:09+00:00",
"details": "To install this update, do the following:\n \n1. Download the Data Grid 8.3.0 Server patch from the customer portal[\u00b2].\n2. Back up your existing Data Grid installation. You should back up databases, configuration files, and so on.\n3. Install the Data Grid 8.3.0 Server patch.\n4. Restart Data Grid to ensure the changes take effect.\n\nFor more information about Data Grid 8.3.0, refer to the 8.3.0 Release Notes[\u00b3]",
"product_ids": [
"Red Hat Data Grid 8.3.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:0520"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"Red Hat Data Grid 8.3.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "xstream: Arbitrary code execution via unsafe deserialization of com.sun.xml.internal.ws.client.sei.*"
},
{
"cve": "CVE-2021-39144",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2021-08-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1997772"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in xstream, a simple library used to serialize objects to XML and back again. This flaw allows a remote attacker to load and execute arbitrary code from a remote host by manipulating the processed input stream.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "xstream: Arbitrary code execution via unsafe deserialization of sun.tracing.*",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Users who follow the recommended security framework with a whitelist to limit the types to the minimum required should not be affected. XStream 1.4.18 no longer uses a blacklist by default since it cannot be secured for general purposes.\n\nOpenShift Container Platform (OCP) delivers Jenkins LTS package with bundled XStream library. Due to JEP-200 [1] and JEP-228 [2] Jenkins projects, OCP Jenkins package is not affected by this flaw.\nThis version of XStream library will be delivered in future Jenkins releases.\n\n[1] https://github.com/jenkinsci/jep/blob/master/jep/200/README.adoc\n[2] https://github.com/jenkinsci/jep/blob/master/jep/228/README.adoc#security\n\nFor more information, please refer to the [Red Hat solution Article](https://access.redhat.com/solutions/7002450) explaining this issue.\n\nOpenShift Logging\u0027s Elasticsearch 6.8.1 using opendistro_security v0.10.1.2 is not affected by the vulnerable code because com.thoughtworks.xstream is only a build-time dependency.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Data Grid 8.3.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-39144"
},
{
"category": "external",
"summary": "RHBZ#1997772",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1997772"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-39144",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-39144"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-39144",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39144"
},
{
"category": "external",
"summary": "https://github.com/x-stream/xstream/security/advisories/GHSA-j9h8-phrw-h4fh",
"url": "https://github.com/x-stream/xstream/security/advisories/GHSA-j9h8-phrw-h4fh"
},
{
"category": "external",
"summary": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
}
],
"release_date": "2021-08-22T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-02-14T13:06:09+00:00",
"details": "To install this update, do the following:\n \n1. Download the Data Grid 8.3.0 Server patch from the customer portal[\u00b2].\n2. Back up your existing Data Grid installation. You should back up databases, configuration files, and so on.\n3. Install the Data Grid 8.3.0 Server patch.\n4. Restart Data Grid to ensure the changes take effect.\n\nFor more information about Data Grid 8.3.0, refer to the 8.3.0 Release Notes[\u00b3]",
"product_ids": [
"Red Hat Data Grid 8.3.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:0520"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"Red Hat Data Grid 8.3.0"
]
}
],
"threats": [
{
"category": "exploit_status",
"date": "2023-03-10T00:00:00+00:00",
"details": "CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
},
{
"category": "impact",
"details": "Low"
}
],
"title": "xstream: Arbitrary code execution via unsafe deserialization of sun.tracing.*"
},
{
"cve": "CVE-2021-39145",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2021-08-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1997775"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in xstream, a simple library used to serialize objects to XML and back again. This flaw allows a remote attacker to load and execute arbitrary code from a remote host by manipulating the processed input stream. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "xstream: Arbitrary code execution via unsafe deserialization of com.sun.jndi.ldap.LdapBindingEnumeration",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Users who follow the recommended security framework with a whitelist to limit the types to the minimum required should not be affected. XStream 1.4.18 no longer uses a blacklist by default since it cannot be secured for general purposes.\n\nOpenShift Container Platform (OCP) delivers the Jenkins LTS package with bundled XStream library. Due to JEP-200 [1] and JEP-228 [2] Jenkins projects, the OCP Jenkins package is not affected by this flaw.\nThis version of the XStream library will be delivered in future Jenkins releases.\n\n[1] https://github.com/jenkinsci/jep/blob/master/jep/200/README.adoc\n[2] https://github.com/jenkinsci/jep/blob/master/jep/228/README.adoc#security",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Data Grid 8.3.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-39145"
},
{
"category": "external",
"summary": "RHBZ#1997775",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1997775"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-39145",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-39145"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-39145",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39145"
},
{
"category": "external",
"summary": "https://github.com/x-stream/xstream/security/advisories/GHSA-8jrj-525p-826v",
"url": "https://github.com/x-stream/xstream/security/advisories/GHSA-8jrj-525p-826v"
}
],
"release_date": "2021-08-22T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-02-14T13:06:09+00:00",
"details": "To install this update, do the following:\n \n1. Download the Data Grid 8.3.0 Server patch from the customer portal[\u00b2].\n2. Back up your existing Data Grid installation. You should back up databases, configuration files, and so on.\n3. Install the Data Grid 8.3.0 Server patch.\n4. Restart Data Grid to ensure the changes take effect.\n\nFor more information about Data Grid 8.3.0, refer to the 8.3.0 Release Notes[\u00b3]",
"product_ids": [
"Red Hat Data Grid 8.3.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:0520"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"Red Hat Data Grid 8.3.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "xstream: Arbitrary code execution via unsafe deserialization of com.sun.jndi.ldap.LdapBindingEnumeration"
},
{
"cve": "CVE-2021-39146",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2021-08-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1997777"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in xstream, a simple library used to serialize objects to XML and back again. This flaw allows a remote attacker to load and execute arbitrary code from a remote host by manipulating the processed input stream. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "xstream: Arbitrary code execution via unsafe deserialization of javax.swing.UIDefaults$ProxyLazyValue",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Users who follow the recommended security framework with a whitelist to limit the types to the minimum required should not be affected. XStream 1.4.18 no longer uses a blacklist by default since it cannot be secured for general purposes.\n\nOpenShift Container Platform (OCP) delivers the Jenkins LTS package with bundled XStream library. Due to JEP-200 [1] and JEP-228 [2] Jenkins projects, the OCP Jenkins package is not affected by this flaw.\nThis version of the XStream library will be delivered in future Jenkins releases.\n\n[1] https://github.com/jenkinsci/jep/blob/master/jep/200/README.adoc\n[2] https://github.com/jenkinsci/jep/blob/master/jep/228/README.adoc#security",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Data Grid 8.3.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-39146"
},
{
"category": "external",
"summary": "RHBZ#1997777",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1997777"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-39146",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-39146"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-39146",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39146"
},
{
"category": "external",
"summary": "https://github.com/x-stream/xstream/security/advisories/GHSA-p8pq-r894-fm8f",
"url": "https://github.com/x-stream/xstream/security/advisories/GHSA-p8pq-r894-fm8f"
}
],
"release_date": "2021-08-22T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-02-14T13:06:09+00:00",
"details": "To install this update, do the following:\n \n1. Download the Data Grid 8.3.0 Server patch from the customer portal[\u00b2].\n2. Back up your existing Data Grid installation. You should back up databases, configuration files, and so on.\n3. Install the Data Grid 8.3.0 Server patch.\n4. Restart Data Grid to ensure the changes take effect.\n\nFor more information about Data Grid 8.3.0, refer to the 8.3.0 Release Notes[\u00b3]",
"product_ids": [
"Red Hat Data Grid 8.3.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:0520"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"Red Hat Data Grid 8.3.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "xstream: Arbitrary code execution via unsafe deserialization of javax.swing.UIDefaults$ProxyLazyValue"
},
{
"cve": "CVE-2021-39147",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2021-08-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1997779"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in xstream, a simple library used to serialize objects to XML and back again. This flaw allows a remote attacker to load and execute arbitrary code from a remote host by manipulating the processed input stream. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "xstream: Arbitrary code execution via unsafe deserialization of com.sun.jndi.ldap.LdapSearchEnumeration",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Users who follow the recommended security framework with a whitelist to limit the types to the minimum required should not be affected. XStream 1.4.18 no longer uses a blacklist by default since it cannot be secured for general purposes.\n\nOpenShift Container Platform (OCP) delivers the Jenkins LTS package with bundled XStream library. Due to JEP-200 [1] and JEP-228 [2] Jenkins projects, the OCP Jenkins package is not affected by this flaw.\nThis version of the XStream library will be delivered in future Jenkins releases.\n\n[1] https://github.com/jenkinsci/jep/blob/master/jep/200/README.adoc\n[2] https://github.com/jenkinsci/jep/blob/master/jep/228/README.adoc#security",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Data Grid 8.3.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-39147"
},
{
"category": "external",
"summary": "RHBZ#1997779",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1997779"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-39147",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-39147"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-39147",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39147"
},
{
"category": "external",
"summary": "https://github.com/x-stream/xstream/security/advisories/GHSA-h7v4-7xg3-hxcc",
"url": "https://github.com/x-stream/xstream/security/advisories/GHSA-h7v4-7xg3-hxcc"
}
],
"release_date": "2021-08-22T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-02-14T13:06:09+00:00",
"details": "To install this update, do the following:\n \n1. Download the Data Grid 8.3.0 Server patch from the customer portal[\u00b2].\n2. Back up your existing Data Grid installation. You should back up databases, configuration files, and so on.\n3. Install the Data Grid 8.3.0 Server patch.\n4. Restart Data Grid to ensure the changes take effect.\n\nFor more information about Data Grid 8.3.0, refer to the 8.3.0 Release Notes[\u00b3]",
"product_ids": [
"Red Hat Data Grid 8.3.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:0520"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"Red Hat Data Grid 8.3.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "xstream: Arbitrary code execution via unsafe deserialization of com.sun.jndi.ldap.LdapSearchEnumeration"
},
{
"cve": "CVE-2021-39148",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2021-08-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1997781"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in xstream, a simple library used to serialize objects to XML and back again. This flaw allows a remote attacker to load and execute arbitrary code from a remote host by manipulating the processed input stream. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "xstream: Arbitrary code execution via unsafe deserialization of com.sun.jndi.toolkit.dir.ContextEnumerator",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Users who follow the recommended security framework with a whitelist to limit the types to the minimum required should not be affected. XStream 1.4.18 no longer uses a blacklist by default since it cannot be secured for general purposes.\n\nOpenShift Container Platform (OCP) delivers the Jenkins LTS package with bundled XStream library. Due to JEP-200 [1] and JEP-228 [2] Jenkins projects, the OCP Jenkins package is not affected by this flaw.\nThis version of the XStream library will be delivered in future Jenkins releases.\n\n[1] https://github.com/jenkinsci/jep/blob/master/jep/200/README.adoc\n[2] https://github.com/jenkinsci/jep/blob/master/jep/228/README.adoc#security",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Data Grid 8.3.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-39148"
},
{
"category": "external",
"summary": "RHBZ#1997781",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1997781"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-39148",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-39148"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-39148",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39148"
},
{
"category": "external",
"summary": "https://github.com/x-stream/xstream/security/advisories/GHSA-qrx8-8545-4wg2",
"url": "https://github.com/x-stream/xstream/security/advisories/GHSA-qrx8-8545-4wg2"
}
],
"release_date": "2021-08-22T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-02-14T13:06:09+00:00",
"details": "To install this update, do the following:\n \n1. Download the Data Grid 8.3.0 Server patch from the customer portal[\u00b2].\n2. Back up your existing Data Grid installation. You should back up databases, configuration files, and so on.\n3. Install the Data Grid 8.3.0 Server patch.\n4. Restart Data Grid to ensure the changes take effect.\n\nFor more information about Data Grid 8.3.0, refer to the 8.3.0 Release Notes[\u00b3]",
"product_ids": [
"Red Hat Data Grid 8.3.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:0520"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"Red Hat Data Grid 8.3.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "xstream: Arbitrary code execution via unsafe deserialization of com.sun.jndi.toolkit.dir.ContextEnumerator"
},
{
"cve": "CVE-2021-39149",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2021-08-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1997784"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in xstream, a simple library used to serialize objects to XML and back again. This flaw allows a remote attacker to load and execute arbitrary code from a remote host by manipulating the processed input stream. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "xstream: Arbitrary code execution via unsafe deserialization of com.sun.corba.*",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Users who follow the recommended security framework with a whitelist to limit the types to the minimum required should not be affected. XStream 1.4.18 no longer uses a blacklist by default since it cannot be secured for general purposes.\n\nOpenShift Container Platform (OCP) delivers the Jenkins LTS package with bundled XStream library. Due to JEP-200 [1] and JEP-228 [2] Jenkins projects, the OCP Jenkins package is not affected by this flaw.\nThis version of the XStream library will be delivered in future Jenkins releases.\n\n[1] https://github.com/jenkinsci/jep/blob/master/jep/200/README.adoc\n[2] https://github.com/jenkinsci/jep/blob/master/jep/228/README.adoc#security",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Data Grid 8.3.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-39149"
},
{
"category": "external",
"summary": "RHBZ#1997784",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1997784"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-39149",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-39149"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-39149",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39149"
},
{
"category": "external",
"summary": "https://github.com/x-stream/xstream/security/advisories/GHSA-3ccq-5vw3-2p6x",
"url": "https://github.com/x-stream/xstream/security/advisories/GHSA-3ccq-5vw3-2p6x"
}
],
"release_date": "2021-08-22T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-02-14T13:06:09+00:00",
"details": "To install this update, do the following:\n \n1. Download the Data Grid 8.3.0 Server patch from the customer portal[\u00b2].\n2. Back up your existing Data Grid installation. You should back up databases, configuration files, and so on.\n3. Install the Data Grid 8.3.0 Server patch.\n4. Restart Data Grid to ensure the changes take effect.\n\nFor more information about Data Grid 8.3.0, refer to the 8.3.0 Release Notes[\u00b3]",
"product_ids": [
"Red Hat Data Grid 8.3.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:0520"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"Red Hat Data Grid 8.3.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "xstream: Arbitrary code execution via unsafe deserialization of com.sun.corba.*"
},
{
"cve": "CVE-2021-39150",
"cwe": {
"id": "CWE-918",
"name": "Server-Side Request Forgery (SSRF)"
},
"discovery_date": "2021-08-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1997786"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in xstream, a simple library used to serialize objects to XML and back again. This flaw allows a remote attacker to request data from internal resources that are not publicly available by manipulating the processed input stream with Java runtime versions 14 to 8. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "xstream: Server-side request forgery (SSRF) via unsafe deserialization of com.sun.xml.internal.ws.client.sei.*",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Users who follow the recommended security framework with a whitelist to limit the types to the minimum required should not be affected. If you rely on XStream\u0027s default blacklist of the [Security Framework](https://x-stream.github.io/security.html#framework), you will have to use at least version 1.4.18.\n\nOpenShift Container Platform (OCP) delivers the Jenkins LTS package with bundled XStream library. Due to JEP-200 [1] and JEP-228 [2] Jenkins projects, the OCP Jenkins package is not affected by this flaw.\nThis version of the XStream library will be delivered in future Jenkins releases.\n\n[1] https://github.com/jenkinsci/jep/blob/master/jep/200/README.adoc\n[2] https://github.com/jenkinsci/jep/blob/master/jep/228/README.adoc#security",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Data Grid 8.3.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-39150"
},
{
"category": "external",
"summary": "RHBZ#1997786",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1997786"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-39150",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-39150"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-39150",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39150"
},
{
"category": "external",
"summary": "https://github.com/x-stream/xstream/security/advisories/GHSA-cxfm-5m4g-x7xp",
"url": "https://github.com/x-stream/xstream/security/advisories/GHSA-cxfm-5m4g-x7xp"
}
],
"release_date": "2021-08-22T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-02-14T13:06:09+00:00",
"details": "To install this update, do the following:\n \n1. Download the Data Grid 8.3.0 Server patch from the customer portal[\u00b2].\n2. Back up your existing Data Grid installation. You should back up databases, configuration files, and so on.\n3. Install the Data Grid 8.3.0 Server patch.\n4. Restart Data Grid to ensure the changes take effect.\n\nFor more information about Data Grid 8.3.0, refer to the 8.3.0 Release Notes[\u00b3]",
"product_ids": [
"Red Hat Data Grid 8.3.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:0520"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"Red Hat Data Grid 8.3.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "xstream: Server-side request forgery (SSRF) via unsafe deserialization of com.sun.xml.internal.ws.client.sei.*"
},
{
"cve": "CVE-2021-39151",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2021-08-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1997791"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in xstream, a simple library used to serialize objects to XML and back again. This flaw allows a remote attacker to load and execute arbitrary code from a remote host by manipulating the processed input stream. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "xstream: Arbitrary code execution via unsafe deserialization of com.sun.jndi.ldap.LdapBindingEnumeration",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Users who follow the recommended security framework with a whitelist to limit the types to the minimum required should not be affected. XStream 1.4.18 no longer uses a blacklist by default since it cannot be secured for general purposes.\n\nOpenShift Container Platform (OCP) delivers the Jenkins LTS package with bundled XStream library. Due to JEP-200 [1] and JEP-228 [2] Jenkins projects, the OCP Jenkins package is not affected by this flaw.\n\nThis version of the XStream library will be delivered in future Jenkins releases.\n\n[1] https://github.com/jenkinsci/jep/blob/master/jep/200/README.adoc\n[2] https://github.com/jenkinsci/jep/blob/master/jep/228/README.adoc#security",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Data Grid 8.3.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-39151"
},
{
"category": "external",
"summary": "RHBZ#1997791",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1997791"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-39151",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-39151"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-39151",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39151"
},
{
"category": "external",
"summary": "https://github.com/x-stream/xstream/security/advisories/GHSA-hph2-m3g5-xxv4",
"url": "https://github.com/x-stream/xstream/security/advisories/GHSA-hph2-m3g5-xxv4"
}
],
"release_date": "2021-08-22T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-02-14T13:06:09+00:00",
"details": "To install this update, do the following:\n \n1. Download the Data Grid 8.3.0 Server patch from the customer portal[\u00b2].\n2. Back up your existing Data Grid installation. You should back up databases, configuration files, and so on.\n3. Install the Data Grid 8.3.0 Server patch.\n4. Restart Data Grid to ensure the changes take effect.\n\nFor more information about Data Grid 8.3.0, refer to the 8.3.0 Release Notes[\u00b3]",
"product_ids": [
"Red Hat Data Grid 8.3.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:0520"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"Red Hat Data Grid 8.3.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "xstream: Arbitrary code execution via unsafe deserialization of com.sun.jndi.ldap.LdapBindingEnumeration"
},
{
"cve": "CVE-2021-39152",
"cwe": {
"id": "CWE-918",
"name": "Server-Side Request Forgery (SSRF)"
},
"discovery_date": "2021-08-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1997793"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in xstream, a simple library used to serialize objects to XML and back again. This flaw allows a remote attacker to request data from internal resources that are not publicly available by manipulating the processed input stream with Java runtime versions 14 to 8. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "xstream: Server-side request forgery (SSRF) via unsafe deserialization of jdk.nashorn.internal.runtime.Source$URLData",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Users who follow the recommended security framework with a whitelist to limit the types to the minimum required should not be affected. If you rely on XStream\u0027s default blacklist of the [Security Framework](https://x-stream.github.io/security.html#framework), you will have to use at least version 1.4.18.\n\nOpenShift Container Platform (OCP) delivers the Jenkins LTS package with bundled XStream library. Due to JEP-200 [1] and JEP-228 [2] Jenkins projects, the OCP Jenkins package is not affected by this flaw.\n\nThis version of the XStream library will be delivered in future Jenkins releases.\n\n[1] https://github.com/jenkinsci/jep/blob/master/jep/200/README.adoc\n[2] https://github.com/jenkinsci/jep/blob/master/jep/228/README.adoc#security",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Data Grid 8.3.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-39152"
},
{
"category": "external",
"summary": "RHBZ#1997793",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1997793"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-39152",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-39152"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-39152",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39152"
},
{
"category": "external",
"summary": "https://github.com/x-stream/xstream/security/advisories/GHSA-xw4p-crpj-vjx2",
"url": "https://github.com/x-stream/xstream/security/advisories/GHSA-xw4p-crpj-vjx2"
}
],
"release_date": "2021-08-22T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-02-14T13:06:09+00:00",
"details": "To install this update, do the following:\n \n1. Download the Data Grid 8.3.0 Server patch from the customer portal[\u00b2].\n2. Back up your existing Data Grid installation. You should back up databases, configuration files, and so on.\n3. Install the Data Grid 8.3.0 Server patch.\n4. Restart Data Grid to ensure the changes take effect.\n\nFor more information about Data Grid 8.3.0, refer to the 8.3.0 Release Notes[\u00b3]",
"product_ids": [
"Red Hat Data Grid 8.3.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:0520"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"Red Hat Data Grid 8.3.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "xstream: Server-side request forgery (SSRF) via unsafe deserialization of jdk.nashorn.internal.runtime.Source$URLData"
},
{
"cve": "CVE-2021-39153",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2021-08-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1997795"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in xstream, a simple library used to serialize objects to XML and back again. This flaw allows a remote attacker to load and execute arbitrary code from a remote host by manipulating the processed input stream. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "xstream: Arbitrary code execution via unsafe deserialization of Xalan xsltc.trax.TemplatesImpl",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Users who follow the recommended security framework with a whitelist to limit the types to the minimum required should not be affected. XStream 1.4.18 no longer uses a blacklist by default since it cannot be secured for general purposes.\n\nOpenShift Container Platform (OCP) delivers the Jenkins LTS package with bundled XStream library. Due to JEP-200 [1] and JEP-228 [2] Jenkins projects, the OCP Jenkins package is not affected by this flaw.\nThis version of the XStream library will be delivered in future Jenkins releases.\n\n[1] https://github.com/jenkinsci/jep/blob/master/jep/200/README.adoc\n[2] https://github.com/jenkinsci/jep/blob/master/jep/228/README.adoc#security",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Data Grid 8.3.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-39153"
},
{
"category": "external",
"summary": "RHBZ#1997795",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1997795"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-39153",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-39153"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-39153",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39153"
},
{
"category": "external",
"summary": "https://github.com/x-stream/xstream/security/advisories/GHSA-2q8x-2p7f-574v",
"url": "https://github.com/x-stream/xstream/security/advisories/GHSA-2q8x-2p7f-574v"
}
],
"release_date": "2021-08-22T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-02-14T13:06:09+00:00",
"details": "To install this update, do the following:\n \n1. Download the Data Grid 8.3.0 Server patch from the customer portal[\u00b2].\n2. Back up your existing Data Grid installation. You should back up databases, configuration files, and so on.\n3. Install the Data Grid 8.3.0 Server patch.\n4. Restart Data Grid to ensure the changes take effect.\n\nFor more information about Data Grid 8.3.0, refer to the 8.3.0 Release Notes[\u00b3]",
"product_ids": [
"Red Hat Data Grid 8.3.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:0520"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"Red Hat Data Grid 8.3.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "xstream: Arbitrary code execution via unsafe deserialization of Xalan xsltc.trax.TemplatesImpl"
},
{
"cve": "CVE-2021-39154",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2021-08-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1997801"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in xstream, a simple library used to serialize objects to XML and back again. This flaw allows a remote attacker to load and execute arbitrary code from a remote host by manipulating the processed input stream. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "xstream: Arbitrary code execution via unsafe deserialization of javax.swing.UIDefaults$ProxyLazyValue",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Users who follow the recommended security framework with a whitelist to limit the types to the minimum required should not be affected. XStream 1.4.18 no longer uses a blacklist by default since it cannot be secured for general purposes.\n\nOpenShift Container Platform (OCP) delivers the Jenkins LTS package with bundled XStream library. Due to JEP-200 [1] and JEP-228 [2] Jenkins projects, the OCP Jenkins package is not affected by this flaw.\nThis version of the XStream library will be delivered in future Jenkins releases.\n\n[1] https://github.com/jenkinsci/jep/blob/master/jep/200/README.adoc\n[2] https://github.com/jenkinsci/jep/blob/master/jep/228/README.adoc#security",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Data Grid 8.3.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-39154"
},
{
"category": "external",
"summary": "RHBZ#1997801",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1997801"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-39154",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-39154"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-39154",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39154"
},
{
"category": "external",
"summary": "https://github.com/x-stream/xstream/security/advisories/GHSA-6w62-hx7r-mw68",
"url": "https://github.com/x-stream/xstream/security/advisories/GHSA-6w62-hx7r-mw68"
}
],
"release_date": "2021-08-22T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-02-14T13:06:09+00:00",
"details": "To install this update, do the following:\n \n1. Download the Data Grid 8.3.0 Server patch from the customer portal[\u00b2].\n2. Back up your existing Data Grid installation. You should back up databases, configuration files, and so on.\n3. Install the Data Grid 8.3.0 Server patch.\n4. Restart Data Grid to ensure the changes take effect.\n\nFor more information about Data Grid 8.3.0, refer to the 8.3.0 Release Notes[\u00b3]",
"product_ids": [
"Red Hat Data Grid 8.3.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:0520"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"Red Hat Data Grid 8.3.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "xstream: Arbitrary code execution via unsafe deserialization of javax.swing.UIDefaults$ProxyLazyValue"
},
{
"cve": "CVE-2021-43797",
"cwe": {
"id": "CWE-444",
"name": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)"
},
"discovery_date": "2021-12-09T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2031958"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Netty, specifically in the netty-codec-http package. This flaw allows unauthorized control characters at the beginning and end of a request, does not follow the specification, and can cause HTTP request smuggling.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "netty: control chars in header names may lead to HTTP request smuggling",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "In OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of netty-codec-http package.\nSince the release of OCP 4.6, the Metering product has been deprecated, hence the affected components are marked as wontfix.\nThe openshift4/ose-logging-elasticsearch6 container is marked as Out of support scope because since the release of OCP 4.7 the logging functionality is delivered as an OpenShift Logging product and OCP 4.6 is already in the Maintenance Support phase.\nA fix was introduced in netty-codec-http version 4.1.72.Final.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Data Grid 8.3.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-43797"
},
{
"category": "external",
"summary": "RHBZ#2031958",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031958"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-43797",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-43797"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-43797",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43797"
},
{
"category": "external",
"summary": "https://github.com/netty/netty/security/advisories/GHSA-wx5j-54mm-rqqq",
"url": "https://github.com/netty/netty/security/advisories/GHSA-wx5j-54mm-rqqq"
}
],
"release_date": "2021-12-09T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-02-14T13:06:09+00:00",
"details": "To install this update, do the following:\n \n1. Download the Data Grid 8.3.0 Server patch from the customer portal[\u00b2].\n2. Back up your existing Data Grid installation. You should back up databases, configuration files, and so on.\n3. Install the Data Grid 8.3.0 Server patch.\n4. Restart Data Grid to ensure the changes take effect.\n\nFor more information about Data Grid 8.3.0, refer to the 8.3.0 Release Notes[\u00b3]",
"product_ids": [
"Red Hat Data Grid 8.3.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:0520"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat Data Grid 8.3.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "netty: control chars in header names may lead to HTTP request smuggling"
}
]
}
SUSE-SU-2021:3476-1
Vulnerability from csaf_suse - Published: 2021-10-20 06:42 - Updated: 2021-10-20 06:42Summary
Security update for xstream
Severity
Important
Notes
Title of the patch: Security update for xstream
Description of the patch: This update for xstream fixes the following issues:
- Upgrade to 1.4.18
- CVE-2021-39139: Fixed an issue that allowed an attacker to execute arbitrary code execution by manipulating the processed input stream with type information. (bsc#1189798)
- CVE-2021-39140: Fixed an issue that allowed an attacker to execute a DoS attack by manipulating the processed input stream. (bsc#1189798)
- CVE-2021-39141: Fixed an issue that allowed an attacker to achieve arbitrary code execution. (bsc#1189798)
- CVE-2021-39144: Fixed an issue that allowed an attacker to achieve arbitrary code execution. (bsc#1189798)
- CVE-2021-39145: Fixed an issue that allowed an attacker to achieve arbitrary code execution. (bsc#1189798)
- CVE-2021-39146: Fixed an issue that allowed an attacker to achieve arbitrary code execution. (bsc#1189798)
- CVE-2021-39147: Fixed an issue that allowed an attacker to achieve arbitrary code execution. (bsc#1189798)
- CVE-2021-39148: Fixed an issue that allowed an attacker to achieve arbitrary code execution. (bsc#1189798)
- CVE-2021-39149: Fixed an issue that allowed an attacker to achieve arbitrary code execution. (bsc#1189798)
- CVE-2021-39150: Fixed an issue that allowed an attacker to access protected resources hosted within the intranet or in the host itself. (bsc#1189798)
- CVE-2021-39151: Fixed an issue that allowed an attacker to achieve arbitrary code execution. (bsc#1189798)
- CVE-2021-39152: Fixed an issue that allowed an attacker to access protected resources hosted within the intranet or in the host itself. (bsc#1189798)
- CVE-2021-39153: Fixed an issue that allowed an attacker to achieve arbitrary code execution. (bsc#1189798)
- CVE-2021-39154: Fixed an issue that allowed an attacker to achieve arbitrary code execution. (bsc#1189798)
Patchnames: SUSE-2021-3476,SUSE-SLE-Module-Development-Tools-15-SP2-2021-3476,SUSE-SLE-Module-Development-Tools-15-SP3-2021-3476,SUSE-SLE-Module-SUSE-Manager-Server-4.1-2021-3476,SUSE-SLE-Module-SUSE-Manager-Server-4.2-2021-3476
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
8.1 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Module for Development Tools 15 SP2:xstream-1.4.18-3.14.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Development Tools 15 SP3:xstream-1.4.18-3.14.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Manager Server Module 4.1:xstream-1.4.18-3.14.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Manager Server Module 4.2:xstream-1.4.18-3.14.1.noarch | — |
Vendor Fix
|
Threats
Impact
important
5.9 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Module for Development Tools 15 SP2:xstream-1.4.18-3.14.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Development Tools 15 SP3:xstream-1.4.18-3.14.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Manager Server Module 4.1:xstream-1.4.18-3.14.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Manager Server Module 4.2:xstream-1.4.18-3.14.1.noarch | — |
Vendor Fix
|
Threats
Impact
important
8.1 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Module for Development Tools 15 SP2:xstream-1.4.18-3.14.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Development Tools 15 SP3:xstream-1.4.18-3.14.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Manager Server Module 4.1:xstream-1.4.18-3.14.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Manager Server Module 4.2:xstream-1.4.18-3.14.1.noarch | — |
Vendor Fix
|
Threats
Impact
important
8.1 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Module for Development Tools 15 SP2:xstream-1.4.18-3.14.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Development Tools 15 SP3:xstream-1.4.18-3.14.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Manager Server Module 4.1:xstream-1.4.18-3.14.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Manager Server Module 4.2:xstream-1.4.18-3.14.1.noarch | — |
Vendor Fix
|
Threats
Impact
important
8.1 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Module for Development Tools 15 SP2:xstream-1.4.18-3.14.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Development Tools 15 SP3:xstream-1.4.18-3.14.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Manager Server Module 4.1:xstream-1.4.18-3.14.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Manager Server Module 4.2:xstream-1.4.18-3.14.1.noarch | — |
Vendor Fix
|
Threats
Impact
important
8.1 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Module for Development Tools 15 SP2:xstream-1.4.18-3.14.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Development Tools 15 SP3:xstream-1.4.18-3.14.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Manager Server Module 4.1:xstream-1.4.18-3.14.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Manager Server Module 4.2:xstream-1.4.18-3.14.1.noarch | — |
Vendor Fix
|
Threats
Impact
important
8.1 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Module for Development Tools 15 SP2:xstream-1.4.18-3.14.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Development Tools 15 SP3:xstream-1.4.18-3.14.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Manager Server Module 4.1:xstream-1.4.18-3.14.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Manager Server Module 4.2:xstream-1.4.18-3.14.1.noarch | — |
Vendor Fix
|
Threats
Impact
important
8.1 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Module for Development Tools 15 SP2:xstream-1.4.18-3.14.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Development Tools 15 SP3:xstream-1.4.18-3.14.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Manager Server Module 4.1:xstream-1.4.18-3.14.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Manager Server Module 4.2:xstream-1.4.18-3.14.1.noarch | — |
Vendor Fix
|
Threats
Impact
important
8.1 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Module for Development Tools 15 SP2:xstream-1.4.18-3.14.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Development Tools 15 SP3:xstream-1.4.18-3.14.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Manager Server Module 4.1:xstream-1.4.18-3.14.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Manager Server Module 4.2:xstream-1.4.18-3.14.1.noarch | — |
Vendor Fix
|
Threats
Impact
important
5.3 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Module for Development Tools 15 SP2:xstream-1.4.18-3.14.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Development Tools 15 SP3:xstream-1.4.18-3.14.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Manager Server Module 4.1:xstream-1.4.18-3.14.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Manager Server Module 4.2:xstream-1.4.18-3.14.1.noarch | — |
Vendor Fix
|
Threats
Impact
important
8.1 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Module for Development Tools 15 SP2:xstream-1.4.18-3.14.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Development Tools 15 SP3:xstream-1.4.18-3.14.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Manager Server Module 4.1:xstream-1.4.18-3.14.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Manager Server Module 4.2:xstream-1.4.18-3.14.1.noarch | — |
Vendor Fix
|
Threats
Impact
important
5.9 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Module for Development Tools 15 SP2:xstream-1.4.18-3.14.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Development Tools 15 SP3:xstream-1.4.18-3.14.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Manager Server Module 4.1:xstream-1.4.18-3.14.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Manager Server Module 4.2:xstream-1.4.18-3.14.1.noarch | — |
Vendor Fix
|
Threats
Impact
important
8.1 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Module for Development Tools 15 SP2:xstream-1.4.18-3.14.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Development Tools 15 SP3:xstream-1.4.18-3.14.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Manager Server Module 4.1:xstream-1.4.18-3.14.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Manager Server Module 4.2:xstream-1.4.18-3.14.1.noarch | — |
Vendor Fix
|
Threats
Impact
important
8.1 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Module for Development Tools 15 SP2:xstream-1.4.18-3.14.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Development Tools 15 SP3:xstream-1.4.18-3.14.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Manager Server Module 4.1:xstream-1.4.18-3.14.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Manager Server Module 4.2:xstream-1.4.18-3.14.1.noarch | — |
Vendor Fix
|
Threats
Impact
important
References
47 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for xstream",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for xstream fixes the following issues:\n\n- Upgrade to 1.4.18\n- CVE-2021-39139: Fixed an issue that allowed an attacker to execute arbitrary code execution by manipulating the processed input stream with type information. (bsc#1189798)\n- CVE-2021-39140: Fixed an issue that allowed an attacker to execute a DoS attack by manipulating the processed input stream. (bsc#1189798)\n- CVE-2021-39141: Fixed an issue that allowed an attacker to achieve arbitrary code execution. (bsc#1189798)\n- CVE-2021-39144: Fixed an issue that allowed an attacker to achieve arbitrary code execution. (bsc#1189798)\n- CVE-2021-39145: Fixed an issue that allowed an attacker to achieve arbitrary code execution. (bsc#1189798)\n- CVE-2021-39146: Fixed an issue that allowed an attacker to achieve arbitrary code execution. (bsc#1189798)\n- CVE-2021-39147: Fixed an issue that allowed an attacker to achieve arbitrary code execution. (bsc#1189798)\n- CVE-2021-39148: Fixed an issue that allowed an attacker to achieve arbitrary code execution. (bsc#1189798)\n- CVE-2021-39149: Fixed an issue that allowed an attacker to achieve arbitrary code execution. (bsc#1189798)\n- CVE-2021-39150: Fixed an issue that allowed an attacker to access protected resources hosted within the intranet or in the host itself. (bsc#1189798)\n- CVE-2021-39151: Fixed an issue that allowed an attacker to achieve arbitrary code execution. (bsc#1189798)\n- CVE-2021-39152: Fixed an issue that allowed an attacker to access protected resources hosted within the intranet or in the host itself. (bsc#1189798)\n- CVE-2021-39153: Fixed an issue that allowed an attacker to achieve arbitrary code execution. (bsc#1189798)\n- CVE-2021-39154: Fixed an issue that allowed an attacker to achieve arbitrary code execution. (bsc#1189798)\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-2021-3476,SUSE-SLE-Module-Development-Tools-15-SP2-2021-3476,SUSE-SLE-Module-Development-Tools-15-SP3-2021-3476,SUSE-SLE-Module-SUSE-Manager-Server-4.1-2021-3476,SUSE-SLE-Module-SUSE-Manager-Server-4.2-2021-3476",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2021_3476-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2021:3476-1",
"url": "https://www.suse.com/support/update/announcement/2021/suse-su-20213476-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2021:3476-1",
"url": "https://lists.suse.com/pipermail/sle-updates/2021-October/020532.html"
},
{
"category": "self",
"summary": "SUSE Bug 1189798",
"url": "https://bugzilla.suse.com/1189798"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2021-39139 page",
"url": "https://www.suse.com/security/cve/CVE-2021-39139/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2021-39140 page",
"url": "https://www.suse.com/security/cve/CVE-2021-39140/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2021-39141 page",
"url": "https://www.suse.com/security/cve/CVE-2021-39141/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2021-39144 page",
"url": "https://www.suse.com/security/cve/CVE-2021-39144/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2021-39145 page",
"url": "https://www.suse.com/security/cve/CVE-2021-39145/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2021-39146 page",
"url": "https://www.suse.com/security/cve/CVE-2021-39146/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2021-39147 page",
"url": "https://www.suse.com/security/cve/CVE-2021-39147/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2021-39148 page",
"url": "https://www.suse.com/security/cve/CVE-2021-39148/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2021-39149 page",
"url": "https://www.suse.com/security/cve/CVE-2021-39149/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2021-39150 page",
"url": "https://www.suse.com/security/cve/CVE-2021-39150/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2021-39151 page",
"url": "https://www.suse.com/security/cve/CVE-2021-39151/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2021-39152 page",
"url": "https://www.suse.com/security/cve/CVE-2021-39152/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2021-39153 page",
"url": "https://www.suse.com/security/cve/CVE-2021-39153/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2021-39154 page",
"url": "https://www.suse.com/security/cve/CVE-2021-39154/"
}
],
"title": "Security update for xstream",
"tracking": {
"current_release_date": "2021-10-20T06:42:25Z",
"generator": {
"date": "2021-10-20T06:42:25Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2021:3476-1",
"initial_release_date": "2021-10-20T06:42:25Z",
"revision_history": [
{
"date": "2021-10-20T06:42:25Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "xstream-1.4.18-3.14.1.noarch",
"product": {
"name": "xstream-1.4.18-3.14.1.noarch",
"product_id": "xstream-1.4.18-3.14.1.noarch"
}
},
{
"category": "product_version",
"name": "xstream-benchmark-1.4.18-3.14.1.noarch",
"product": {
"name": "xstream-benchmark-1.4.18-3.14.1.noarch",
"product_id": "xstream-benchmark-1.4.18-3.14.1.noarch"
}
},
{
"category": "product_version",
"name": "xstream-javadoc-1.4.18-3.14.1.noarch",
"product": {
"name": "xstream-javadoc-1.4.18-3.14.1.noarch",
"product_id": "xstream-javadoc-1.4.18-3.14.1.noarch"
}
},
{
"category": "product_version",
"name": "xstream-parent-1.4.18-3.14.1.noarch",
"product": {
"name": "xstream-parent-1.4.18-3.14.1.noarch",
"product_id": "xstream-parent-1.4.18-3.14.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise Module for Development Tools 15 SP2",
"product": {
"name": "SUSE Linux Enterprise Module for Development Tools 15 SP2",
"product_id": "SUSE Linux Enterprise Module for Development Tools 15 SP2",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-module-development-tools:15:sp2"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Module for Development Tools 15 SP3",
"product": {
"name": "SUSE Linux Enterprise Module for Development Tools 15 SP3",
"product_id": "SUSE Linux Enterprise Module for Development Tools 15 SP3",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-module-development-tools:15:sp3"
}
}
},
{
"category": "product_name",
"name": "SUSE Manager Server Module 4.1",
"product": {
"name": "SUSE Manager Server Module 4.1",
"product_id": "SUSE Manager Server Module 4.1",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-module-suse-manager-server:4.1"
}
}
},
{
"category": "product_name",
"name": "SUSE Manager Server Module 4.2",
"product": {
"name": "SUSE Manager Server Module 4.2",
"product_id": "SUSE Manager Server Module 4.2",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-module-suse-manager-server:4.2"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "xstream-1.4.18-3.14.1.noarch as component of SUSE Linux Enterprise Module for Development Tools 15 SP2",
"product_id": "SUSE Linux Enterprise Module for Development Tools 15 SP2:xstream-1.4.18-3.14.1.noarch"
},
"product_reference": "xstream-1.4.18-3.14.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Development Tools 15 SP2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "xstream-1.4.18-3.14.1.noarch as component of SUSE Linux Enterprise Module for Development Tools 15 SP3",
"product_id": "SUSE Linux Enterprise Module for Development Tools 15 SP3:xstream-1.4.18-3.14.1.noarch"
},
"product_reference": "xstream-1.4.18-3.14.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Development Tools 15 SP3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "xstream-1.4.18-3.14.1.noarch as component of SUSE Manager Server Module 4.1",
"product_id": "SUSE Manager Server Module 4.1:xstream-1.4.18-3.14.1.noarch"
},
"product_reference": "xstream-1.4.18-3.14.1.noarch",
"relates_to_product_reference": "SUSE Manager Server Module 4.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "xstream-1.4.18-3.14.1.noarch as component of SUSE Manager Server Module 4.2",
"product_id": "SUSE Manager Server Module 4.2:xstream-1.4.18-3.14.1.noarch"
},
"product_reference": "xstream-1.4.18-3.14.1.noarch",
"relates_to_product_reference": "SUSE Manager Server Module 4.2"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2021-39139",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2021-39139"
}
],
"notes": [
{
"category": "general",
"text": "XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. A user is only affected if using the version out of the box with JDK 1.7u21 or below. However, this scenario can be adjusted easily to an external Xalan that works regardless of the version of the Java runtime. No user is affected, who followed the recommendation to setup XStream\u0027s security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Module for Development Tools 15 SP2:xstream-1.4.18-3.14.1.noarch",
"SUSE Linux Enterprise Module for Development Tools 15 SP3:xstream-1.4.18-3.14.1.noarch",
"SUSE Manager Server Module 4.1:xstream-1.4.18-3.14.1.noarch",
"SUSE Manager Server Module 4.2:xstream-1.4.18-3.14.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2021-39139",
"url": "https://www.suse.com/security/cve/CVE-2021-39139"
},
{
"category": "external",
"summary": "SUSE Bug 1189798 for CVE-2021-39139",
"url": "https://bugzilla.suse.com/1189798"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Module for Development Tools 15 SP2:xstream-1.4.18-3.14.1.noarch",
"SUSE Linux Enterprise Module for Development Tools 15 SP3:xstream-1.4.18-3.14.1.noarch",
"SUSE Manager Server Module 4.1:xstream-1.4.18-3.14.1.noarch",
"SUSE Manager Server Module 4.2:xstream-1.4.18-3.14.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Module for Development Tools 15 SP2:xstream-1.4.18-3.14.1.noarch",
"SUSE Linux Enterprise Module for Development Tools 15 SP3:xstream-1.4.18-3.14.1.noarch",
"SUSE Manager Server Module 4.1:xstream-1.4.18-3.14.1.noarch",
"SUSE Manager Server Module 4.2:xstream-1.4.18-3.14.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2021-10-20T06:42:25Z",
"details": "important"
}
],
"title": "CVE-2021-39139"
},
{
"cve": "CVE-2021-39140",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2021-39140"
}
],
"notes": [
{
"category": "general",
"text": "XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream\u0027s security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Module for Development Tools 15 SP2:xstream-1.4.18-3.14.1.noarch",
"SUSE Linux Enterprise Module for Development Tools 15 SP3:xstream-1.4.18-3.14.1.noarch",
"SUSE Manager Server Module 4.1:xstream-1.4.18-3.14.1.noarch",
"SUSE Manager Server Module 4.2:xstream-1.4.18-3.14.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2021-39140",
"url": "https://www.suse.com/security/cve/CVE-2021-39140"
},
{
"category": "external",
"summary": "SUSE Bug 1189798 for CVE-2021-39140",
"url": "https://bugzilla.suse.com/1189798"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Module for Development Tools 15 SP2:xstream-1.4.18-3.14.1.noarch",
"SUSE Linux Enterprise Module for Development Tools 15 SP3:xstream-1.4.18-3.14.1.noarch",
"SUSE Manager Server Module 4.1:xstream-1.4.18-3.14.1.noarch",
"SUSE Manager Server Module 4.2:xstream-1.4.18-3.14.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Module for Development Tools 15 SP2:xstream-1.4.18-3.14.1.noarch",
"SUSE Linux Enterprise Module for Development Tools 15 SP3:xstream-1.4.18-3.14.1.noarch",
"SUSE Manager Server Module 4.1:xstream-1.4.18-3.14.1.noarch",
"SUSE Manager Server Module 4.2:xstream-1.4.18-3.14.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2021-10-20T06:42:25Z",
"details": "important"
}
],
"title": "CVE-2021-39140"
},
{
"cve": "CVE-2021-39141",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2021-39141"
}
],
"notes": [
{
"category": "general",
"text": "XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream\u0027s security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Module for Development Tools 15 SP2:xstream-1.4.18-3.14.1.noarch",
"SUSE Linux Enterprise Module for Development Tools 15 SP3:xstream-1.4.18-3.14.1.noarch",
"SUSE Manager Server Module 4.1:xstream-1.4.18-3.14.1.noarch",
"SUSE Manager Server Module 4.2:xstream-1.4.18-3.14.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2021-39141",
"url": "https://www.suse.com/security/cve/CVE-2021-39141"
},
{
"category": "external",
"summary": "SUSE Bug 1189798 for CVE-2021-39141",
"url": "https://bugzilla.suse.com/1189798"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Module for Development Tools 15 SP2:xstream-1.4.18-3.14.1.noarch",
"SUSE Linux Enterprise Module for Development Tools 15 SP3:xstream-1.4.18-3.14.1.noarch",
"SUSE Manager Server Module 4.1:xstream-1.4.18-3.14.1.noarch",
"SUSE Manager Server Module 4.2:xstream-1.4.18-3.14.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Module for Development Tools 15 SP2:xstream-1.4.18-3.14.1.noarch",
"SUSE Linux Enterprise Module for Development Tools 15 SP3:xstream-1.4.18-3.14.1.noarch",
"SUSE Manager Server Module 4.1:xstream-1.4.18-3.14.1.noarch",
"SUSE Manager Server Module 4.2:xstream-1.4.18-3.14.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2021-10-20T06:42:25Z",
"details": "important"
}
],
"title": "CVE-2021-39141"
},
{
"cve": "CVE-2021-39144",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2021-39144"
}
],
"notes": [
{
"category": "general",
"text": "XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream\u0027s security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Module for Development Tools 15 SP2:xstream-1.4.18-3.14.1.noarch",
"SUSE Linux Enterprise Module for Development Tools 15 SP3:xstream-1.4.18-3.14.1.noarch",
"SUSE Manager Server Module 4.1:xstream-1.4.18-3.14.1.noarch",
"SUSE Manager Server Module 4.2:xstream-1.4.18-3.14.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2021-39144",
"url": "https://www.suse.com/security/cve/CVE-2021-39144"
},
{
"category": "external",
"summary": "SUSE Bug 1189798 for CVE-2021-39144",
"url": "https://bugzilla.suse.com/1189798"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Module for Development Tools 15 SP2:xstream-1.4.18-3.14.1.noarch",
"SUSE Linux Enterprise Module for Development Tools 15 SP3:xstream-1.4.18-3.14.1.noarch",
"SUSE Manager Server Module 4.1:xstream-1.4.18-3.14.1.noarch",
"SUSE Manager Server Module 4.2:xstream-1.4.18-3.14.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Module for Development Tools 15 SP2:xstream-1.4.18-3.14.1.noarch",
"SUSE Linux Enterprise Module for Development Tools 15 SP3:xstream-1.4.18-3.14.1.noarch",
"SUSE Manager Server Module 4.1:xstream-1.4.18-3.14.1.noarch",
"SUSE Manager Server Module 4.2:xstream-1.4.18-3.14.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2021-10-20T06:42:25Z",
"details": "important"
}
],
"title": "CVE-2021-39144"
},
{
"cve": "CVE-2021-39145",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2021-39145"
}
],
"notes": [
{
"category": "general",
"text": "XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream\u0027s security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Module for Development Tools 15 SP2:xstream-1.4.18-3.14.1.noarch",
"SUSE Linux Enterprise Module for Development Tools 15 SP3:xstream-1.4.18-3.14.1.noarch",
"SUSE Manager Server Module 4.1:xstream-1.4.18-3.14.1.noarch",
"SUSE Manager Server Module 4.2:xstream-1.4.18-3.14.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2021-39145",
"url": "https://www.suse.com/security/cve/CVE-2021-39145"
},
{
"category": "external",
"summary": "SUSE Bug 1189798 for CVE-2021-39145",
"url": "https://bugzilla.suse.com/1189798"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Module for Development Tools 15 SP2:xstream-1.4.18-3.14.1.noarch",
"SUSE Linux Enterprise Module for Development Tools 15 SP3:xstream-1.4.18-3.14.1.noarch",
"SUSE Manager Server Module 4.1:xstream-1.4.18-3.14.1.noarch",
"SUSE Manager Server Module 4.2:xstream-1.4.18-3.14.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Module for Development Tools 15 SP2:xstream-1.4.18-3.14.1.noarch",
"SUSE Linux Enterprise Module for Development Tools 15 SP3:xstream-1.4.18-3.14.1.noarch",
"SUSE Manager Server Module 4.1:xstream-1.4.18-3.14.1.noarch",
"SUSE Manager Server Module 4.2:xstream-1.4.18-3.14.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2021-10-20T06:42:25Z",
"details": "important"
}
],
"title": "CVE-2021-39145"
},
{
"cve": "CVE-2021-39146",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2021-39146"
}
],
"notes": [
{
"category": "general",
"text": "XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream\u0027s security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Module for Development Tools 15 SP2:xstream-1.4.18-3.14.1.noarch",
"SUSE Linux Enterprise Module for Development Tools 15 SP3:xstream-1.4.18-3.14.1.noarch",
"SUSE Manager Server Module 4.1:xstream-1.4.18-3.14.1.noarch",
"SUSE Manager Server Module 4.2:xstream-1.4.18-3.14.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2021-39146",
"url": "https://www.suse.com/security/cve/CVE-2021-39146"
},
{
"category": "external",
"summary": "SUSE Bug 1189798 for CVE-2021-39146",
"url": "https://bugzilla.suse.com/1189798"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Module for Development Tools 15 SP2:xstream-1.4.18-3.14.1.noarch",
"SUSE Linux Enterprise Module for Development Tools 15 SP3:xstream-1.4.18-3.14.1.noarch",
"SUSE Manager Server Module 4.1:xstream-1.4.18-3.14.1.noarch",
"SUSE Manager Server Module 4.2:xstream-1.4.18-3.14.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Module for Development Tools 15 SP2:xstream-1.4.18-3.14.1.noarch",
"SUSE Linux Enterprise Module for Development Tools 15 SP3:xstream-1.4.18-3.14.1.noarch",
"SUSE Manager Server Module 4.1:xstream-1.4.18-3.14.1.noarch",
"SUSE Manager Server Module 4.2:xstream-1.4.18-3.14.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2021-10-20T06:42:25Z",
"details": "important"
}
],
"title": "CVE-2021-39146"
},
{
"cve": "CVE-2021-39147",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2021-39147"
}
],
"notes": [
{
"category": "general",
"text": "XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream\u0027s security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Module for Development Tools 15 SP2:xstream-1.4.18-3.14.1.noarch",
"SUSE Linux Enterprise Module for Development Tools 15 SP3:xstream-1.4.18-3.14.1.noarch",
"SUSE Manager Server Module 4.1:xstream-1.4.18-3.14.1.noarch",
"SUSE Manager Server Module 4.2:xstream-1.4.18-3.14.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2021-39147",
"url": "https://www.suse.com/security/cve/CVE-2021-39147"
},
{
"category": "external",
"summary": "SUSE Bug 1189798 for CVE-2021-39147",
"url": "https://bugzilla.suse.com/1189798"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Module for Development Tools 15 SP2:xstream-1.4.18-3.14.1.noarch",
"SUSE Linux Enterprise Module for Development Tools 15 SP3:xstream-1.4.18-3.14.1.noarch",
"SUSE Manager Server Module 4.1:xstream-1.4.18-3.14.1.noarch",
"SUSE Manager Server Module 4.2:xstream-1.4.18-3.14.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Module for Development Tools 15 SP2:xstream-1.4.18-3.14.1.noarch",
"SUSE Linux Enterprise Module for Development Tools 15 SP3:xstream-1.4.18-3.14.1.noarch",
"SUSE Manager Server Module 4.1:xstream-1.4.18-3.14.1.noarch",
"SUSE Manager Server Module 4.2:xstream-1.4.18-3.14.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2021-10-20T06:42:25Z",
"details": "important"
}
],
"title": "CVE-2021-39147"
},
{
"cve": "CVE-2021-39148",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2021-39148"
}
],
"notes": [
{
"category": "general",
"text": "XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream\u0027s security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Module for Development Tools 15 SP2:xstream-1.4.18-3.14.1.noarch",
"SUSE Linux Enterprise Module for Development Tools 15 SP3:xstream-1.4.18-3.14.1.noarch",
"SUSE Manager Server Module 4.1:xstream-1.4.18-3.14.1.noarch",
"SUSE Manager Server Module 4.2:xstream-1.4.18-3.14.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2021-39148",
"url": "https://www.suse.com/security/cve/CVE-2021-39148"
},
{
"category": "external",
"summary": "SUSE Bug 1189798 for CVE-2021-39148",
"url": "https://bugzilla.suse.com/1189798"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Module for Development Tools 15 SP2:xstream-1.4.18-3.14.1.noarch",
"SUSE Linux Enterprise Module for Development Tools 15 SP3:xstream-1.4.18-3.14.1.noarch",
"SUSE Manager Server Module 4.1:xstream-1.4.18-3.14.1.noarch",
"SUSE Manager Server Module 4.2:xstream-1.4.18-3.14.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Module for Development Tools 15 SP2:xstream-1.4.18-3.14.1.noarch",
"SUSE Linux Enterprise Module for Development Tools 15 SP3:xstream-1.4.18-3.14.1.noarch",
"SUSE Manager Server Module 4.1:xstream-1.4.18-3.14.1.noarch",
"SUSE Manager Server Module 4.2:xstream-1.4.18-3.14.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2021-10-20T06:42:25Z",
"details": "important"
}
],
"title": "CVE-2021-39148"
},
{
"cve": "CVE-2021-39149",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2021-39149"
}
],
"notes": [
{
"category": "general",
"text": "XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream\u0027s security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Module for Development Tools 15 SP2:xstream-1.4.18-3.14.1.noarch",
"SUSE Linux Enterprise Module for Development Tools 15 SP3:xstream-1.4.18-3.14.1.noarch",
"SUSE Manager Server Module 4.1:xstream-1.4.18-3.14.1.noarch",
"SUSE Manager Server Module 4.2:xstream-1.4.18-3.14.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2021-39149",
"url": "https://www.suse.com/security/cve/CVE-2021-39149"
},
{
"category": "external",
"summary": "SUSE Bug 1189798 for CVE-2021-39149",
"url": "https://bugzilla.suse.com/1189798"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Module for Development Tools 15 SP2:xstream-1.4.18-3.14.1.noarch",
"SUSE Linux Enterprise Module for Development Tools 15 SP3:xstream-1.4.18-3.14.1.noarch",
"SUSE Manager Server Module 4.1:xstream-1.4.18-3.14.1.noarch",
"SUSE Manager Server Module 4.2:xstream-1.4.18-3.14.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Module for Development Tools 15 SP2:xstream-1.4.18-3.14.1.noarch",
"SUSE Linux Enterprise Module for Development Tools 15 SP3:xstream-1.4.18-3.14.1.noarch",
"SUSE Manager Server Module 4.1:xstream-1.4.18-3.14.1.noarch",
"SUSE Manager Server Module 4.2:xstream-1.4.18-3.14.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2021-10-20T06:42:25Z",
"details": "important"
}
],
"title": "CVE-2021-39149"
},
{
"cve": "CVE-2021-39150",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2021-39150"
}
],
"notes": [
{
"category": "general",
"text": "XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream with a Java runtime version 14 to 8. No user is affected, who followed the recommendation to setup XStream\u0027s security framework with a whitelist limited to the minimal required types. If you rely on XStream\u0027s default blacklist of the [Security Framework](https://x-stream.github.io/security.html#framework), you will have to use at least version 1.4.18.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Module for Development Tools 15 SP2:xstream-1.4.18-3.14.1.noarch",
"SUSE Linux Enterprise Module for Development Tools 15 SP3:xstream-1.4.18-3.14.1.noarch",
"SUSE Manager Server Module 4.1:xstream-1.4.18-3.14.1.noarch",
"SUSE Manager Server Module 4.2:xstream-1.4.18-3.14.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2021-39150",
"url": "https://www.suse.com/security/cve/CVE-2021-39150"
},
{
"category": "external",
"summary": "SUSE Bug 1189798 for CVE-2021-39150",
"url": "https://bugzilla.suse.com/1189798"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Module for Development Tools 15 SP2:xstream-1.4.18-3.14.1.noarch",
"SUSE Linux Enterprise Module for Development Tools 15 SP3:xstream-1.4.18-3.14.1.noarch",
"SUSE Manager Server Module 4.1:xstream-1.4.18-3.14.1.noarch",
"SUSE Manager Server Module 4.2:xstream-1.4.18-3.14.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Module for Development Tools 15 SP2:xstream-1.4.18-3.14.1.noarch",
"SUSE Linux Enterprise Module for Development Tools 15 SP3:xstream-1.4.18-3.14.1.noarch",
"SUSE Manager Server Module 4.1:xstream-1.4.18-3.14.1.noarch",
"SUSE Manager Server Module 4.2:xstream-1.4.18-3.14.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2021-10-20T06:42:25Z",
"details": "important"
}
],
"title": "CVE-2021-39150"
},
{
"cve": "CVE-2021-39151",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2021-39151"
}
],
"notes": [
{
"category": "general",
"text": "XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream\u0027s security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Module for Development Tools 15 SP2:xstream-1.4.18-3.14.1.noarch",
"SUSE Linux Enterprise Module for Development Tools 15 SP3:xstream-1.4.18-3.14.1.noarch",
"SUSE Manager Server Module 4.1:xstream-1.4.18-3.14.1.noarch",
"SUSE Manager Server Module 4.2:xstream-1.4.18-3.14.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2021-39151",
"url": "https://www.suse.com/security/cve/CVE-2021-39151"
},
{
"category": "external",
"summary": "SUSE Bug 1189798 for CVE-2021-39151",
"url": "https://bugzilla.suse.com/1189798"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Module for Development Tools 15 SP2:xstream-1.4.18-3.14.1.noarch",
"SUSE Linux Enterprise Module for Development Tools 15 SP3:xstream-1.4.18-3.14.1.noarch",
"SUSE Manager Server Module 4.1:xstream-1.4.18-3.14.1.noarch",
"SUSE Manager Server Module 4.2:xstream-1.4.18-3.14.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Module for Development Tools 15 SP2:xstream-1.4.18-3.14.1.noarch",
"SUSE Linux Enterprise Module for Development Tools 15 SP3:xstream-1.4.18-3.14.1.noarch",
"SUSE Manager Server Module 4.1:xstream-1.4.18-3.14.1.noarch",
"SUSE Manager Server Module 4.2:xstream-1.4.18-3.14.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2021-10-20T06:42:25Z",
"details": "important"
}
],
"title": "CVE-2021-39151"
},
{
"cve": "CVE-2021-39152",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2021-39152"
}
],
"notes": [
{
"category": "general",
"text": "XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream with a Java runtime version 14 to 8. No user is affected, who followed the recommendation to setup XStream\u0027s security framework with a whitelist limited to the minimal required types. If you rely on XStream\u0027s default blacklist of the [Security Framework](https://x-stream.github.io/security.html#framework), you will have to use at least version 1.4.18.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Module for Development Tools 15 SP2:xstream-1.4.18-3.14.1.noarch",
"SUSE Linux Enterprise Module for Development Tools 15 SP3:xstream-1.4.18-3.14.1.noarch",
"SUSE Manager Server Module 4.1:xstream-1.4.18-3.14.1.noarch",
"SUSE Manager Server Module 4.2:xstream-1.4.18-3.14.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2021-39152",
"url": "https://www.suse.com/security/cve/CVE-2021-39152"
},
{
"category": "external",
"summary": "SUSE Bug 1189798 for CVE-2021-39152",
"url": "https://bugzilla.suse.com/1189798"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Module for Development Tools 15 SP2:xstream-1.4.18-3.14.1.noarch",
"SUSE Linux Enterprise Module for Development Tools 15 SP3:xstream-1.4.18-3.14.1.noarch",
"SUSE Manager Server Module 4.1:xstream-1.4.18-3.14.1.noarch",
"SUSE Manager Server Module 4.2:xstream-1.4.18-3.14.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Module for Development Tools 15 SP2:xstream-1.4.18-3.14.1.noarch",
"SUSE Linux Enterprise Module for Development Tools 15 SP3:xstream-1.4.18-3.14.1.noarch",
"SUSE Manager Server Module 4.1:xstream-1.4.18-3.14.1.noarch",
"SUSE Manager Server Module 4.2:xstream-1.4.18-3.14.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2021-10-20T06:42:25Z",
"details": "important"
}
],
"title": "CVE-2021-39152"
},
{
"cve": "CVE-2021-39153",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2021-39153"
}
],
"notes": [
{
"category": "general",
"text": "XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream, if using the version out of the box with Java runtime version 14 to 8 or with JavaFX installed. No user is affected, who followed the recommendation to setup XStream\u0027s security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Module for Development Tools 15 SP2:xstream-1.4.18-3.14.1.noarch",
"SUSE Linux Enterprise Module for Development Tools 15 SP3:xstream-1.4.18-3.14.1.noarch",
"SUSE Manager Server Module 4.1:xstream-1.4.18-3.14.1.noarch",
"SUSE Manager Server Module 4.2:xstream-1.4.18-3.14.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2021-39153",
"url": "https://www.suse.com/security/cve/CVE-2021-39153"
},
{
"category": "external",
"summary": "SUSE Bug 1189798 for CVE-2021-39153",
"url": "https://bugzilla.suse.com/1189798"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Module for Development Tools 15 SP2:xstream-1.4.18-3.14.1.noarch",
"SUSE Linux Enterprise Module for Development Tools 15 SP3:xstream-1.4.18-3.14.1.noarch",
"SUSE Manager Server Module 4.1:xstream-1.4.18-3.14.1.noarch",
"SUSE Manager Server Module 4.2:xstream-1.4.18-3.14.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Module for Development Tools 15 SP2:xstream-1.4.18-3.14.1.noarch",
"SUSE Linux Enterprise Module for Development Tools 15 SP3:xstream-1.4.18-3.14.1.noarch",
"SUSE Manager Server Module 4.1:xstream-1.4.18-3.14.1.noarch",
"SUSE Manager Server Module 4.2:xstream-1.4.18-3.14.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2021-10-20T06:42:25Z",
"details": "important"
}
],
"title": "CVE-2021-39153"
},
{
"cve": "CVE-2021-39154",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2021-39154"
}
],
"notes": [
{
"category": "general",
"text": "XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream\u0027s security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Module for Development Tools 15 SP2:xstream-1.4.18-3.14.1.noarch",
"SUSE Linux Enterprise Module for Development Tools 15 SP3:xstream-1.4.18-3.14.1.noarch",
"SUSE Manager Server Module 4.1:xstream-1.4.18-3.14.1.noarch",
"SUSE Manager Server Module 4.2:xstream-1.4.18-3.14.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2021-39154",
"url": "https://www.suse.com/security/cve/CVE-2021-39154"
},
{
"category": "external",
"summary": "SUSE Bug 1189798 for CVE-2021-39154",
"url": "https://bugzilla.suse.com/1189798"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Module for Development Tools 15 SP2:xstream-1.4.18-3.14.1.noarch",
"SUSE Linux Enterprise Module for Development Tools 15 SP3:xstream-1.4.18-3.14.1.noarch",
"SUSE Manager Server Module 4.1:xstream-1.4.18-3.14.1.noarch",
"SUSE Manager Server Module 4.2:xstream-1.4.18-3.14.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Module for Development Tools 15 SP2:xstream-1.4.18-3.14.1.noarch",
"SUSE Linux Enterprise Module for Development Tools 15 SP3:xstream-1.4.18-3.14.1.noarch",
"SUSE Manager Server Module 4.1:xstream-1.4.18-3.14.1.noarch",
"SUSE Manager Server Module 4.2:xstream-1.4.18-3.14.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2021-10-20T06:42:25Z",
"details": "important"
}
],
"title": "CVE-2021-39154"
}
]
}
WID-SEC-W-2023-0682
Vulnerability from csaf_certbund - Published: 2021-10-24 22:00 - Updated: 2023-06-27 22:00Summary
Red Hat Enterprise Linux (xstream): Mehrere Schwachstellen
Severity
Hoch
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung: Red Hat Enterprise Linux (RHEL) ist eine populäre Linux-Distribution.
Angriff: Ein entfernter, authentisierter Angreifer kann mehrere Schwachstellen in Red Hat Enterprise Linux in der Komponente xstream ausnutzen, um beliebigen Programmcode mit den Rechten des Dienstes auszuführen, einen Denial of Service Zustand herzustellen und vertrauliche Informationen offenzulegen.
Betroffene Betriebssysteme: - UNIX
- Linux
In Red Hat Enterprise Linux existieren mehrere Schwachstellen. Die Fehler bestehen in der Komponente xstream aufgrund von mehrfacher unsicherer Deserialisierung von Xalan xsltc.trax.TemplatesImpl, com.sun.xml.internal.ws.client.sei.*, sun.tracing.*, com.sun. jndi.ldap.LdapBindingEnumeration, javax.swing.UIDefaults$ProxyLazyValue, com.sun.jndi.ldap.LdapSearchEnumeration, com.sun.jndi.toolkit.dir.ContextEnumerator und com.sun.corba.*. Ein entfernter authentisierter Angreifer kann diese Schwachstellen zur Ausführung von beliebigem Code ausnutzen.
Affected products
Known affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Debian Linux
Debian
|
cpe:/o:debian:debian_linux:-
|
— | |
|
Red Hat Enterprise Linux
Red Hat / Enterprise Linux
|
cpe:/o:redhat:enterprise_linux:-
|
— | |
|
Red Hat Enterprise Linux 7
Red Hat / Enterprise Linux
|
cpe:/o:redhat:enterprise_linux:7
|
— | |
|
Oracle Linux
Oracle
|
cpe:/o:oracle:linux:-
|
— |
In Red Hat Enterprise Linux existieren mehrere Schwachstellen. Die Fehler bestehen in der Komponente xstream aufgrund von mehrfacher unsicherer Deserialisierung von Xalan xsltc.trax.TemplatesImpl, com.sun.xml.internal.ws.client.sei.*, sun.tracing.*, com.sun. jndi.ldap.LdapBindingEnumeration, javax.swing.UIDefaults$ProxyLazyValue, com.sun.jndi.ldap.LdapSearchEnumeration, com.sun.jndi.toolkit.dir.ContextEnumerator und com.sun.corba.*. Ein entfernter authentisierter Angreifer kann diese Schwachstellen zur Ausführung von beliebigem Code ausnutzen.
Affected products
Known affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Debian Linux
Debian
|
cpe:/o:debian:debian_linux:-
|
— | |
|
Red Hat Enterprise Linux
Red Hat / Enterprise Linux
|
cpe:/o:redhat:enterprise_linux:-
|
— | |
|
Red Hat Enterprise Linux 7
Red Hat / Enterprise Linux
|
cpe:/o:redhat:enterprise_linux:7
|
— | |
|
Oracle Linux
Oracle
|
cpe:/o:oracle:linux:-
|
— |
In Red Hat Enterprise Linux existieren mehrere Schwachstellen. Die Fehler bestehen in der Komponente xstream aufgrund von mehrfacher unsicherer Deserialisierung von Xalan xsltc.trax.TemplatesImpl, com.sun.xml.internal.ws.client.sei.*, sun.tracing.*, com.sun. jndi.ldap.LdapBindingEnumeration, javax.swing.UIDefaults$ProxyLazyValue, com.sun.jndi.ldap.LdapSearchEnumeration, com.sun.jndi.toolkit.dir.ContextEnumerator und com.sun.corba.*. Ein entfernter authentisierter Angreifer kann diese Schwachstellen zur Ausführung von beliebigem Code ausnutzen.
Affected products
Known affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Debian Linux
Debian
|
cpe:/o:debian:debian_linux:-
|
— | |
|
Red Hat Enterprise Linux
Red Hat / Enterprise Linux
|
cpe:/o:redhat:enterprise_linux:-
|
— | |
|
Red Hat Enterprise Linux 7
Red Hat / Enterprise Linux
|
cpe:/o:redhat:enterprise_linux:7
|
— | |
|
Oracle Linux
Oracle
|
cpe:/o:oracle:linux:-
|
— |
In Red Hat Enterprise Linux existieren mehrere Schwachstellen. Die Fehler bestehen in der Komponente xstream aufgrund von mehrfacher unsicherer Deserialisierung von Xalan xsltc.trax.TemplatesImpl, com.sun.xml.internal.ws.client.sei.*, sun.tracing.*, com.sun. jndi.ldap.LdapBindingEnumeration, javax.swing.UIDefaults$ProxyLazyValue, com.sun.jndi.ldap.LdapSearchEnumeration, com.sun.jndi.toolkit.dir.ContextEnumerator und com.sun.corba.*. Ein entfernter authentisierter Angreifer kann diese Schwachstellen zur Ausführung von beliebigem Code ausnutzen.
Affected products
Known affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Debian Linux
Debian
|
cpe:/o:debian:debian_linux:-
|
— | |
|
Red Hat Enterprise Linux
Red Hat / Enterprise Linux
|
cpe:/o:redhat:enterprise_linux:-
|
— | |
|
Red Hat Enterprise Linux 7
Red Hat / Enterprise Linux
|
cpe:/o:redhat:enterprise_linux:7
|
— | |
|
Oracle Linux
Oracle
|
cpe:/o:oracle:linux:-
|
— |
In Red Hat Enterprise Linux existieren mehrere Schwachstellen. Die Fehler bestehen in der Komponente xstream aufgrund von mehrfacher unsicherer Deserialisierung von Xalan xsltc.trax.TemplatesImpl, com.sun.xml.internal.ws.client.sei.*, sun.tracing.*, com.sun. jndi.ldap.LdapBindingEnumeration, javax.swing.UIDefaults$ProxyLazyValue, com.sun.jndi.ldap.LdapSearchEnumeration, com.sun.jndi.toolkit.dir.ContextEnumerator und com.sun.corba.*. Ein entfernter authentisierter Angreifer kann diese Schwachstellen zur Ausführung von beliebigem Code ausnutzen.
Affected products
Known affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Debian Linux
Debian
|
cpe:/o:debian:debian_linux:-
|
— | |
|
Red Hat Enterprise Linux
Red Hat / Enterprise Linux
|
cpe:/o:redhat:enterprise_linux:-
|
— | |
|
Red Hat Enterprise Linux 7
Red Hat / Enterprise Linux
|
cpe:/o:redhat:enterprise_linux:7
|
— | |
|
Oracle Linux
Oracle
|
cpe:/o:oracle:linux:-
|
— |
In Red Hat Enterprise Linux existieren mehrere Schwachstellen. Die Fehler bestehen in der Komponente xstream aufgrund von mehrfacher unsicherer Deserialisierung von Xalan xsltc.trax.TemplatesImpl, com.sun.xml.internal.ws.client.sei.*, sun.tracing.*, com.sun. jndi.ldap.LdapBindingEnumeration, javax.swing.UIDefaults$ProxyLazyValue, com.sun.jndi.ldap.LdapSearchEnumeration, com.sun.jndi.toolkit.dir.ContextEnumerator und com.sun.corba.*. Ein entfernter authentisierter Angreifer kann diese Schwachstellen zur Ausführung von beliebigem Code ausnutzen.
Affected products
Known affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Debian Linux
Debian
|
cpe:/o:debian:debian_linux:-
|
— | |
|
Red Hat Enterprise Linux
Red Hat / Enterprise Linux
|
cpe:/o:redhat:enterprise_linux:-
|
— | |
|
Red Hat Enterprise Linux 7
Red Hat / Enterprise Linux
|
cpe:/o:redhat:enterprise_linux:7
|
— | |
|
Oracle Linux
Oracle
|
cpe:/o:oracle:linux:-
|
— |
In Red Hat Enterprise Linux existieren mehrere Schwachstellen. Die Fehler bestehen in der Komponente xstream aufgrund von mehrfacher unsicherer Deserialisierung von Xalan xsltc.trax.TemplatesImpl, com.sun.xml.internal.ws.client.sei.*, sun.tracing.*, com.sun. jndi.ldap.LdapBindingEnumeration, javax.swing.UIDefaults$ProxyLazyValue, com.sun.jndi.ldap.LdapSearchEnumeration, com.sun.jndi.toolkit.dir.ContextEnumerator und com.sun.corba.*. Ein entfernter authentisierter Angreifer kann diese Schwachstellen zur Ausführung von beliebigem Code ausnutzen.
Affected products
Known affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Debian Linux
Debian
|
cpe:/o:debian:debian_linux:-
|
— | |
|
Red Hat Enterprise Linux
Red Hat / Enterprise Linux
|
cpe:/o:redhat:enterprise_linux:-
|
— | |
|
Red Hat Enterprise Linux 7
Red Hat / Enterprise Linux
|
cpe:/o:redhat:enterprise_linux:7
|
— | |
|
Oracle Linux
Oracle
|
cpe:/o:oracle:linux:-
|
— |
In Red Hat Enterprise Linux existieren mehrere Schwachstellen. Die Fehler bestehen in der Komponente xstream aufgrund von mehrfacher unsicherer Deserialisierung von Xalan xsltc.trax.TemplatesImpl, com.sun.xml.internal.ws.client.sei.*, sun.tracing.*, com.sun. jndi.ldap.LdapBindingEnumeration, javax.swing.UIDefaults$ProxyLazyValue, com.sun.jndi.ldap.LdapSearchEnumeration, com.sun.jndi.toolkit.dir.ContextEnumerator und com.sun.corba.*. Ein entfernter authentisierter Angreifer kann diese Schwachstellen zur Ausführung von beliebigem Code ausnutzen.
Affected products
Known affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Debian Linux
Debian
|
cpe:/o:debian:debian_linux:-
|
— | |
|
Red Hat Enterprise Linux
Red Hat / Enterprise Linux
|
cpe:/o:redhat:enterprise_linux:-
|
— | |
|
Red Hat Enterprise Linux 7
Red Hat / Enterprise Linux
|
cpe:/o:redhat:enterprise_linux:7
|
— | |
|
Oracle Linux
Oracle
|
cpe:/o:oracle:linux:-
|
— |
In Red Hat Enterprise Linux existieren mehrere Schwachstellen. Die Fehler bestehen in der Komponente xstream aufgrund von mehrfacher unsicherer Deserialisierung von Xalan xsltc.trax.TemplatesImpl, com.sun.xml.internal.ws.client.sei.*, sun.tracing.*, com.sun. jndi.ldap.LdapBindingEnumeration, javax.swing.UIDefaults$ProxyLazyValue, com.sun.jndi.ldap.LdapSearchEnumeration, com.sun.jndi.toolkit.dir.ContextEnumerator und com.sun.corba.*. Ein entfernter authentisierter Angreifer kann diese Schwachstellen zur Ausführung von beliebigem Code ausnutzen.
Affected products
Known affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Debian Linux
Debian
|
cpe:/o:debian:debian_linux:-
|
— | |
|
Red Hat Enterprise Linux
Red Hat / Enterprise Linux
|
cpe:/o:redhat:enterprise_linux:-
|
— | |
|
Red Hat Enterprise Linux 7
Red Hat / Enterprise Linux
|
cpe:/o:redhat:enterprise_linux:7
|
— | |
|
Oracle Linux
Oracle
|
cpe:/o:oracle:linux:-
|
— |
In Red Hat Enterprise Linux existieren mehrere Schwachstellen. Die Fehler bestehen in der Komponente xstream aufgrund von mehrfacher unsicherer Deserialisierung von Xalan xsltc.trax.TemplatesImpl, com.sun.xml.internal.ws.client.sei.*, sun.tracing.*, com.sun. jndi.ldap.LdapBindingEnumeration, javax.swing.UIDefaults$ProxyLazyValue, com.sun.jndi.ldap.LdapSearchEnumeration, com.sun.jndi.toolkit.dir.ContextEnumerator und com.sun.corba.*. Ein entfernter authentisierter Angreifer kann diese Schwachstellen zur Ausführung von beliebigem Code ausnutzen.
Affected products
Known affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Debian Linux
Debian
|
cpe:/o:debian:debian_linux:-
|
— | |
|
Red Hat Enterprise Linux
Red Hat / Enterprise Linux
|
cpe:/o:redhat:enterprise_linux:-
|
— | |
|
Red Hat Enterprise Linux 7
Red Hat / Enterprise Linux
|
cpe:/o:redhat:enterprise_linux:7
|
— | |
|
Oracle Linux
Oracle
|
cpe:/o:oracle:linux:-
|
— |
In Red Hat Enterprise Linux existieren mehrere Schwachstellen. Die Fehler bestehen in der Komponente xstream aufgrund von mehrfacher unsicherer Deserialisierung von Xalan xsltc.trax.TemplatesImpl, com.sun.xml.internal.ws.client.sei.*, sun.tracing.*, com.sun. jndi.ldap.LdapBindingEnumeration, javax.swing.UIDefaults$ProxyLazyValue, com.sun.jndi.ldap.LdapSearchEnumeration, com.sun.jndi.toolkit.dir.ContextEnumerator und com.sun.corba.*. Ein entfernter authentisierter Angreifer kann diese Schwachstellen zur Ausführung von beliebigem Code ausnutzen.
Affected products
Known affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Debian Linux
Debian
|
cpe:/o:debian:debian_linux:-
|
— | |
|
Red Hat Enterprise Linux
Red Hat / Enterprise Linux
|
cpe:/o:redhat:enterprise_linux:-
|
— | |
|
Red Hat Enterprise Linux 7
Red Hat / Enterprise Linux
|
cpe:/o:redhat:enterprise_linux:7
|
— | |
|
Oracle Linux
Oracle
|
cpe:/o:oracle:linux:-
|
— |
In Red Hat Enterprise Linux existiert eine Schwachstelle. Der Fehler besteht in der Komponente xstream aufgrund einer Endlosschleife durch unsichere Deserialisierung von sun.reflect.annotation.AnnotationInvocationHandler. Ein entfernter authentisierter Angreifer kann diese Schwachstelle ausnutzen, um einen Denial-of-Service-Zustand zu verursachen.
Affected products
Known affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Debian Linux
Debian
|
cpe:/o:debian:debian_linux:-
|
— | |
|
Red Hat Enterprise Linux
Red Hat / Enterprise Linux
|
cpe:/o:redhat:enterprise_linux:-
|
— | |
|
Red Hat Enterprise Linux 7
Red Hat / Enterprise Linux
|
cpe:/o:redhat:enterprise_linux:7
|
— | |
|
Oracle Linux
Oracle
|
cpe:/o:oracle:linux:-
|
— |
In Red Hat Enterprise Linux existieren mehrere Schwachstellen. Die Fehler bestehen in der Komponente xstream durch eine mögliche Server-Side Request Forgery (SSRF) durch unsichere Deserialisierung von jdk.nashorn.internal.runtime.Source$URLData. Ein entfernter authentisierter Angreifer kann diese Schwachstellen ausnutzen, um Daten von internen Ressourcen anzufordern, die nicht öffentlich zugänglich sind, indem er den verarbeiteten Eingabestrom manipuliert und so vertrauliche Informationen offenlegen kann.
Affected products
Known affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Debian Linux
Debian
|
cpe:/o:debian:debian_linux:-
|
— | |
|
Red Hat Enterprise Linux
Red Hat / Enterprise Linux
|
cpe:/o:redhat:enterprise_linux:-
|
— | |
|
Red Hat Enterprise Linux 7
Red Hat / Enterprise Linux
|
cpe:/o:redhat:enterprise_linux:7
|
— | |
|
Oracle Linux
Oracle
|
cpe:/o:oracle:linux:-
|
— |
In Red Hat Enterprise Linux existieren mehrere Schwachstellen. Die Fehler bestehen in der Komponente xstream durch eine mögliche Server-Side Request Forgery (SSRF) durch unsichere Deserialisierung von jdk.nashorn.internal.runtime.Source$URLData. Ein entfernter authentisierter Angreifer kann diese Schwachstellen ausnutzen, um Daten von internen Ressourcen anzufordern, die nicht öffentlich zugänglich sind, indem er den verarbeiteten Eingabestrom manipuliert und so vertrauliche Informationen offenlegen kann.
Affected products
Known affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Debian Linux
Debian
|
cpe:/o:debian:debian_linux:-
|
— | |
|
Red Hat Enterprise Linux
Red Hat / Enterprise Linux
|
cpe:/o:redhat:enterprise_linux:-
|
— | |
|
Red Hat Enterprise Linux 7
Red Hat / Enterprise Linux
|
cpe:/o:redhat:enterprise_linux:7
|
— | |
|
Oracle Linux
Oracle
|
cpe:/o:oracle:linux:-
|
— |
References
12 references
{
"document": {
"aggregate_severity": {
"text": "hoch"
},
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "de-DE",
"notes": [
{
"category": "legal_disclaimer",
"text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
},
{
"category": "description",
"text": "Red Hat Enterprise Linux (RHEL) ist eine popul\u00e4re Linux-Distribution.",
"title": "Produktbeschreibung"
},
{
"category": "summary",
"text": "Ein entfernter, authentisierter Angreifer kann mehrere Schwachstellen in Red Hat Enterprise Linux in der Komponente xstream ausnutzen, um beliebigen Programmcode mit den Rechten des Dienstes auszuf\u00fchren, einen Denial of Service Zustand herzustellen und vertrauliche Informationen offenzulegen.",
"title": "Angriff"
},
{
"category": "general",
"text": "- UNIX\n- Linux",
"title": "Betroffene Betriebssysteme"
}
],
"publisher": {
"category": "other",
"contact_details": "csaf-provider@cert-bund.de",
"name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
"namespace": "https://www.bsi.bund.de"
},
"references": [
{
"category": "self",
"summary": "WID-SEC-W-2023-0682 - CSAF Version",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2021/wid-sec-w-2023-0682.json"
},
{
"category": "self",
"summary": "WID-SEC-2023-0682 - Portal Version",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2023-0682"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2023:3892 vom 2023-06-27",
"url": "https://access.redhat.com/errata/RHSA-2023:3892"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2023:1303 vom 2023-03-17",
"url": "https://access.redhat.com/errata/RHSA-2023:1303"
},
{
"category": "external",
"summary": "Red Hat Security Advisory vom 2021-10-24",
"url": "https://access.redhat.com/errata/RHSA-2021:3956"
},
{
"category": "external",
"summary": "Oracle Linux Security Advisory ELSA-2021-3956 vom 2021-10-25",
"url": "http://linux.oracle.com/errata/ELSA-2021-3956.html"
},
{
"category": "external",
"summary": "Debian Security Advisory DSA-5004 vom 2021-11-11",
"url": "https://www.debian.org/security/2021/dsa-5004"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2021:4767 vom 2021-11-23",
"url": "https://access.redhat.com/errata/RHSA-2021:4767"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2021:4918 vom 2021-12-02",
"url": "https://access.redhat.com/errata/RHSA-2021:4918"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2022:0297 vom 2022-01-26",
"url": "https://access.redhat.com/errata/RHSA-2022:0297"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2022:0296 vom 2022-01-26",
"url": "https://access.redhat.com/errata/RHSA-2022:0296"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2022:0520 vom 2022-02-14",
"url": "https://access.redhat.com/errata/RHSA-2022:0520"
}
],
"source_lang": "en-US",
"title": "Red Hat Enterprise Linux (xstream): Mehrere Schwachstellen",
"tracking": {
"current_release_date": "2023-06-27T22:00:00.000+00:00",
"generator": {
"date": "2024-08-15T17:46:52.404+00:00",
"engine": {
"name": "BSI-WID",
"version": "1.3.5"
}
},
"id": "WID-SEC-W-2023-0682",
"initial_release_date": "2021-10-24T22:00:00.000+00:00",
"revision_history": [
{
"date": "2021-10-24T22:00:00.000+00:00",
"number": "1",
"summary": "Initiale Fassung"
},
{
"date": "2021-10-25T22:00:00.000+00:00",
"number": "2",
"summary": "Neue Updates von Oracle Linux aufgenommen"
},
{
"date": "2021-11-11T23:00:00.000+00:00",
"number": "3",
"summary": "Neue Updates von Debian aufgenommen"
},
{
"date": "2021-11-23T23:00:00.000+00:00",
"number": "4",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2021-12-02T23:00:00.000+00:00",
"number": "5",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2022-01-26T23:00:00.000+00:00",
"number": "6",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2022-02-14T23:00:00.000+00:00",
"number": "7",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2023-03-19T23:00:00.000+00:00",
"number": "8",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2023-06-27T22:00:00.000+00:00",
"number": "9",
"summary": "Neue Updates von Red Hat aufgenommen"
}
],
"status": "final",
"version": "9"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Debian Linux",
"product": {
"name": "Debian Linux",
"product_id": "2951",
"product_identification_helper": {
"cpe": "cpe:/o:debian:debian_linux:-"
}
}
}
],
"category": "vendor",
"name": "Debian"
},
{
"branches": [
{
"category": "product_name",
"name": "Oracle Linux",
"product": {
"name": "Oracle Linux",
"product_id": "T004914",
"product_identification_helper": {
"cpe": "cpe:/o:oracle:linux:-"
}
}
}
],
"category": "vendor",
"name": "Oracle"
},
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux",
"product": {
"name": "Red Hat Enterprise Linux",
"product_id": "67646",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:-"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux 7",
"product": {
"name": "Red Hat Enterprise Linux 7",
"product_id": "T003303",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:7"
}
}
}
],
"category": "product_name",
"name": "Enterprise Linux"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2021-39139",
"notes": [
{
"category": "description",
"text": "In Red Hat Enterprise Linux existieren mehrere Schwachstellen. Die Fehler bestehen in der Komponente xstream aufgrund von mehrfacher unsicherer Deserialisierung von Xalan xsltc.trax.TemplatesImpl, com.sun.xml.internal.ws.client.sei.*, sun.tracing.*, com.sun. jndi.ldap.LdapBindingEnumeration, javax.swing.UIDefaults$ProxyLazyValue, com.sun.jndi.ldap.LdapSearchEnumeration, com.sun.jndi.toolkit.dir.ContextEnumerator und com.sun.corba.*. Ein entfernter authentisierter Angreifer kann diese Schwachstellen zur Ausf\u00fchrung von beliebigem Code ausnutzen."
}
],
"product_status": {
"known_affected": [
"2951",
"67646",
"T003303",
"T004914"
]
},
"release_date": "2021-10-24T22:00:00.000+00:00",
"title": "CVE-2021-39139"
},
{
"cve": "CVE-2021-39141",
"notes": [
{
"category": "description",
"text": "In Red Hat Enterprise Linux existieren mehrere Schwachstellen. Die Fehler bestehen in der Komponente xstream aufgrund von mehrfacher unsicherer Deserialisierung von Xalan xsltc.trax.TemplatesImpl, com.sun.xml.internal.ws.client.sei.*, sun.tracing.*, com.sun. jndi.ldap.LdapBindingEnumeration, javax.swing.UIDefaults$ProxyLazyValue, com.sun.jndi.ldap.LdapSearchEnumeration, com.sun.jndi.toolkit.dir.ContextEnumerator und com.sun.corba.*. Ein entfernter authentisierter Angreifer kann diese Schwachstellen zur Ausf\u00fchrung von beliebigem Code ausnutzen."
}
],
"product_status": {
"known_affected": [
"2951",
"67646",
"T003303",
"T004914"
]
},
"release_date": "2021-10-24T22:00:00.000+00:00",
"title": "CVE-2021-39141"
},
{
"cve": "CVE-2021-39144",
"notes": [
{
"category": "description",
"text": "In Red Hat Enterprise Linux existieren mehrere Schwachstellen. Die Fehler bestehen in der Komponente xstream aufgrund von mehrfacher unsicherer Deserialisierung von Xalan xsltc.trax.TemplatesImpl, com.sun.xml.internal.ws.client.sei.*, sun.tracing.*, com.sun. jndi.ldap.LdapBindingEnumeration, javax.swing.UIDefaults$ProxyLazyValue, com.sun.jndi.ldap.LdapSearchEnumeration, com.sun.jndi.toolkit.dir.ContextEnumerator und com.sun.corba.*. Ein entfernter authentisierter Angreifer kann diese Schwachstellen zur Ausf\u00fchrung von beliebigem Code ausnutzen."
}
],
"product_status": {
"known_affected": [
"2951",
"67646",
"T003303",
"T004914"
]
},
"release_date": "2021-10-24T22:00:00.000+00:00",
"title": "CVE-2021-39144"
},
{
"cve": "CVE-2021-39145",
"notes": [
{
"category": "description",
"text": "In Red Hat Enterprise Linux existieren mehrere Schwachstellen. Die Fehler bestehen in der Komponente xstream aufgrund von mehrfacher unsicherer Deserialisierung von Xalan xsltc.trax.TemplatesImpl, com.sun.xml.internal.ws.client.sei.*, sun.tracing.*, com.sun. jndi.ldap.LdapBindingEnumeration, javax.swing.UIDefaults$ProxyLazyValue, com.sun.jndi.ldap.LdapSearchEnumeration, com.sun.jndi.toolkit.dir.ContextEnumerator und com.sun.corba.*. Ein entfernter authentisierter Angreifer kann diese Schwachstellen zur Ausf\u00fchrung von beliebigem Code ausnutzen."
}
],
"product_status": {
"known_affected": [
"2951",
"67646",
"T003303",
"T004914"
]
},
"release_date": "2021-10-24T22:00:00.000+00:00",
"title": "CVE-2021-39145"
},
{
"cve": "CVE-2021-39146",
"notes": [
{
"category": "description",
"text": "In Red Hat Enterprise Linux existieren mehrere Schwachstellen. Die Fehler bestehen in der Komponente xstream aufgrund von mehrfacher unsicherer Deserialisierung von Xalan xsltc.trax.TemplatesImpl, com.sun.xml.internal.ws.client.sei.*, sun.tracing.*, com.sun. jndi.ldap.LdapBindingEnumeration, javax.swing.UIDefaults$ProxyLazyValue, com.sun.jndi.ldap.LdapSearchEnumeration, com.sun.jndi.toolkit.dir.ContextEnumerator und com.sun.corba.*. Ein entfernter authentisierter Angreifer kann diese Schwachstellen zur Ausf\u00fchrung von beliebigem Code ausnutzen."
}
],
"product_status": {
"known_affected": [
"2951",
"67646",
"T003303",
"T004914"
]
},
"release_date": "2021-10-24T22:00:00.000+00:00",
"title": "CVE-2021-39146"
},
{
"cve": "CVE-2021-39147",
"notes": [
{
"category": "description",
"text": "In Red Hat Enterprise Linux existieren mehrere Schwachstellen. Die Fehler bestehen in der Komponente xstream aufgrund von mehrfacher unsicherer Deserialisierung von Xalan xsltc.trax.TemplatesImpl, com.sun.xml.internal.ws.client.sei.*, sun.tracing.*, com.sun. jndi.ldap.LdapBindingEnumeration, javax.swing.UIDefaults$ProxyLazyValue, com.sun.jndi.ldap.LdapSearchEnumeration, com.sun.jndi.toolkit.dir.ContextEnumerator und com.sun.corba.*. Ein entfernter authentisierter Angreifer kann diese Schwachstellen zur Ausf\u00fchrung von beliebigem Code ausnutzen."
}
],
"product_status": {
"known_affected": [
"2951",
"67646",
"T003303",
"T004914"
]
},
"release_date": "2021-10-24T22:00:00.000+00:00",
"title": "CVE-2021-39147"
},
{
"cve": "CVE-2021-39148",
"notes": [
{
"category": "description",
"text": "In Red Hat Enterprise Linux existieren mehrere Schwachstellen. Die Fehler bestehen in der Komponente xstream aufgrund von mehrfacher unsicherer Deserialisierung von Xalan xsltc.trax.TemplatesImpl, com.sun.xml.internal.ws.client.sei.*, sun.tracing.*, com.sun. jndi.ldap.LdapBindingEnumeration, javax.swing.UIDefaults$ProxyLazyValue, com.sun.jndi.ldap.LdapSearchEnumeration, com.sun.jndi.toolkit.dir.ContextEnumerator und com.sun.corba.*. Ein entfernter authentisierter Angreifer kann diese Schwachstellen zur Ausf\u00fchrung von beliebigem Code ausnutzen."
}
],
"product_status": {
"known_affected": [
"2951",
"67646",
"T003303",
"T004914"
]
},
"release_date": "2021-10-24T22:00:00.000+00:00",
"title": "CVE-2021-39148"
},
{
"cve": "CVE-2021-39149",
"notes": [
{
"category": "description",
"text": "In Red Hat Enterprise Linux existieren mehrere Schwachstellen. Die Fehler bestehen in der Komponente xstream aufgrund von mehrfacher unsicherer Deserialisierung von Xalan xsltc.trax.TemplatesImpl, com.sun.xml.internal.ws.client.sei.*, sun.tracing.*, com.sun. jndi.ldap.LdapBindingEnumeration, javax.swing.UIDefaults$ProxyLazyValue, com.sun.jndi.ldap.LdapSearchEnumeration, com.sun.jndi.toolkit.dir.ContextEnumerator und com.sun.corba.*. Ein entfernter authentisierter Angreifer kann diese Schwachstellen zur Ausf\u00fchrung von beliebigem Code ausnutzen."
}
],
"product_status": {
"known_affected": [
"2951",
"67646",
"T003303",
"T004914"
]
},
"release_date": "2021-10-24T22:00:00.000+00:00",
"title": "CVE-2021-39149"
},
{
"cve": "CVE-2021-39151",
"notes": [
{
"category": "description",
"text": "In Red Hat Enterprise Linux existieren mehrere Schwachstellen. Die Fehler bestehen in der Komponente xstream aufgrund von mehrfacher unsicherer Deserialisierung von Xalan xsltc.trax.TemplatesImpl, com.sun.xml.internal.ws.client.sei.*, sun.tracing.*, com.sun. jndi.ldap.LdapBindingEnumeration, javax.swing.UIDefaults$ProxyLazyValue, com.sun.jndi.ldap.LdapSearchEnumeration, com.sun.jndi.toolkit.dir.ContextEnumerator und com.sun.corba.*. Ein entfernter authentisierter Angreifer kann diese Schwachstellen zur Ausf\u00fchrung von beliebigem Code ausnutzen."
}
],
"product_status": {
"known_affected": [
"2951",
"67646",
"T003303",
"T004914"
]
},
"release_date": "2021-10-24T22:00:00.000+00:00",
"title": "CVE-2021-39151"
},
{
"cve": "CVE-2021-39153",
"notes": [
{
"category": "description",
"text": "In Red Hat Enterprise Linux existieren mehrere Schwachstellen. Die Fehler bestehen in der Komponente xstream aufgrund von mehrfacher unsicherer Deserialisierung von Xalan xsltc.trax.TemplatesImpl, com.sun.xml.internal.ws.client.sei.*, sun.tracing.*, com.sun. jndi.ldap.LdapBindingEnumeration, javax.swing.UIDefaults$ProxyLazyValue, com.sun.jndi.ldap.LdapSearchEnumeration, com.sun.jndi.toolkit.dir.ContextEnumerator und com.sun.corba.*. Ein entfernter authentisierter Angreifer kann diese Schwachstellen zur Ausf\u00fchrung von beliebigem Code ausnutzen."
}
],
"product_status": {
"known_affected": [
"2951",
"67646",
"T003303",
"T004914"
]
},
"release_date": "2021-10-24T22:00:00.000+00:00",
"title": "CVE-2021-39153"
},
{
"cve": "CVE-2021-39154",
"notes": [
{
"category": "description",
"text": "In Red Hat Enterprise Linux existieren mehrere Schwachstellen. Die Fehler bestehen in der Komponente xstream aufgrund von mehrfacher unsicherer Deserialisierung von Xalan xsltc.trax.TemplatesImpl, com.sun.xml.internal.ws.client.sei.*, sun.tracing.*, com.sun. jndi.ldap.LdapBindingEnumeration, javax.swing.UIDefaults$ProxyLazyValue, com.sun.jndi.ldap.LdapSearchEnumeration, com.sun.jndi.toolkit.dir.ContextEnumerator und com.sun.corba.*. Ein entfernter authentisierter Angreifer kann diese Schwachstellen zur Ausf\u00fchrung von beliebigem Code ausnutzen."
}
],
"product_status": {
"known_affected": [
"2951",
"67646",
"T003303",
"T004914"
]
},
"release_date": "2021-10-24T22:00:00.000+00:00",
"title": "CVE-2021-39154"
},
{
"cve": "CVE-2021-39140",
"notes": [
{
"category": "description",
"text": "In Red Hat Enterprise Linux existiert eine Schwachstelle. Der Fehler besteht in der Komponente xstream aufgrund einer Endlosschleife durch unsichere Deserialisierung von sun.reflect.annotation.AnnotationInvocationHandler. Ein entfernter authentisierter Angreifer kann diese Schwachstelle ausnutzen, um einen Denial-of-Service-Zustand zu verursachen."
}
],
"product_status": {
"known_affected": [
"2951",
"67646",
"T003303",
"T004914"
]
},
"release_date": "2021-10-24T22:00:00.000+00:00",
"title": "CVE-2021-39140"
},
{
"cve": "CVE-2021-39150",
"notes": [
{
"category": "description",
"text": "In Red Hat Enterprise Linux existieren mehrere Schwachstellen. Die Fehler bestehen in der Komponente xstream durch eine m\u00f6gliche Server-Side Request Forgery (SSRF) durch unsichere Deserialisierung von jdk.nashorn.internal.runtime.Source$URLData. Ein entfernter authentisierter Angreifer kann diese Schwachstellen ausnutzen, um Daten von internen Ressourcen anzufordern, die nicht \u00f6ffentlich zug\u00e4nglich sind, indem er den verarbeiteten Eingabestrom manipuliert und so vertrauliche Informationen offenlegen kann."
}
],
"product_status": {
"known_affected": [
"2951",
"67646",
"T003303",
"T004914"
]
},
"release_date": "2021-10-24T22:00:00.000+00:00",
"title": "CVE-2021-39150"
},
{
"cve": "CVE-2021-39152",
"notes": [
{
"category": "description",
"text": "In Red Hat Enterprise Linux existieren mehrere Schwachstellen. Die Fehler bestehen in der Komponente xstream durch eine m\u00f6gliche Server-Side Request Forgery (SSRF) durch unsichere Deserialisierung von jdk.nashorn.internal.runtime.Source$URLData. Ein entfernter authentisierter Angreifer kann diese Schwachstellen ausnutzen, um Daten von internen Ressourcen anzufordern, die nicht \u00f6ffentlich zug\u00e4nglich sind, indem er den verarbeiteten Eingabestrom manipuliert und so vertrauliche Informationen offenlegen kann."
}
],
"product_status": {
"known_affected": [
"2951",
"67646",
"T003303",
"T004914"
]
},
"release_date": "2021-10-24T22:00:00.000+00:00",
"title": "CVE-2021-39152"
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…