RedHat: RHSA-2021-3956:01 Important: xstream security update
Summary
XStream is a Java XML serialization library to serialize objects to and
deserialize object from XML.
Security Fix(es):
* xstream: Arbitrary code execution via unsafe deserialization of Xalan
xsltc.trax.TemplatesImpl (CVE-2021-39139)
* xstream: Arbitrary code execution via unsafe deserialization of
com.sun.xml.internal.ws.client.sei.* (CVE-2021-39141)
* xstream: Arbitrary code execution via unsafe deserialization of
sun.tracing.* (CVE-2021-39144)
* xstream: Arbitrary code execution via unsafe deserialization of
com.sun.jndi.ldap.LdapBindingEnumeration (CVE-2021-39145)
* xstream: Arbitrary code execution via unsafe deserialization of
javax.swing.UIDefaults$ProxyLazyValue (CVE-2021-39146)
* xstream: Arbitrary code execution via unsafe deserialization of
com.sun.jndi.ldap.LdapSearchEnumeration (CVE-2021-39147)
* xstream: Arbitrary code execution via unsafe deserialization of
com.sun.jndi.toolkit.dir.ContextEnumerator (CVE-2021-39148)
* xstream: Arbitrary code execution via unsafe deserialization of
com.sun.corba.* (CVE-2021-39149)
* xstream: Server-side request forgery (SSRF) via unsafe deserialization of
com.sun.xml.internal.ws.client.sei.* (CVE-2021-39150)
* xstream: Arbitrary code execution via unsafe deserialization of
com.sun.jndi.ldap.LdapBindingEnumeration (CVE-2021-39151)
* xstream: Server-side request forgery (SSRF) via unsafe deserialization of
jdk.nashorn.internal.runtime.Source$URLData (CVE-2021-39152)
* xstream: Arbitrary code execution via unsafe deserialization of Xalan
xsltc.trax.TemplatesImpl (CVE-2021-39153)
* xstream: Arbitrary code execution via unsafe deserialization of
javax.swing.UIDefaults$ProxyLazyValue (CVE-2021-39154)
* xstream: Infinite loop DoS via unsafe deserialization of
sun.reflect.annotation.AnnotationInvocationHandler (CVE-2021-39140)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
Summary
Solution
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
References
https://access.redhat.com/security/cve/CVE-2021-39139 https://access.redhat.com/security/cve/CVE-2021-39140 https://access.redhat.com/security/cve/CVE-2021-39141 https://access.redhat.com/security/cve/CVE-2021-39144 https://access.redhat.com/security/cve/CVE-2021-39145 https://access.redhat.com/security/cve/CVE-2021-39146 https://access.redhat.com/security/cve/CVE-2021-39147 https://access.redhat.com/security/cve/CVE-2021-39148 https://access.redhat.com/security/cve/CVE-2021-39149 https://access.redhat.com/security/cve/CVE-2021-39150 https://access.redhat.com/security/cve/CVE-2021-39151 https://access.redhat.com/security/cve/CVE-2021-39152 https://access.redhat.com/security/cve/CVE-2021-39153 https://access.redhat.com/security/cve/CVE-2021-39154 https://access.redhat.com/security/updates/classification/#important
Package List
Red Hat Enterprise Linux Client Optional (v. 7):
Source:
xstream-1.3.1-16.el7_9.src.rpm
noarch:
xstream-1.3.1-16.el7_9.noarch.rpm
xstream-javadoc-1.3.1-16.el7_9.noarch.rpm
Red Hat Enterprise Linux ComputeNode Optional (v. 7):
Source:
xstream-1.3.1-16.el7_9.src.rpm
noarch:
xstream-1.3.1-16.el7_9.noarch.rpm
xstream-javadoc-1.3.1-16.el7_9.noarch.rpm
Red Hat Enterprise Linux Server Optional (v. 7):
Source:
xstream-1.3.1-16.el7_9.src.rpm
noarch:
xstream-1.3.1-16.el7_9.noarch.rpm
xstream-javadoc-1.3.1-16.el7_9.noarch.rpm
Red Hat Enterprise Linux Workstation Optional (v. 7):
Source:
xstream-1.3.1-16.el7_9.src.rpm
noarch:
xstream-1.3.1-16.el7_9.noarch.rpm
xstream-javadoc-1.3.1-16.el7_9.noarch.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
Topic
An update for xstream is now available for Red Hat Enterprise Linux 7.Red Hat Product Security has rated this update as having a security impactof Important. A Common Vulnerability Scoring System (CVSS) base score,which gives a detailed severity rating, is available for each vulnerabilityfrom the CVE link(s) in the References section.
Topic
Relevant Releases Architectures
Red Hat Enterprise Linux Client Optional (v. 7) - noarch
Red Hat Enterprise Linux ComputeNode Optional (v. 7) - noarch
Red Hat Enterprise Linux Server Optional (v. 7) - noarch
Red Hat Enterprise Linux Workstation Optional (v. 7) - noarch
Bugs Fixed
1997763 - CVE-2021-39139 xstream: Arbitrary code execution via unsafe deserialization of Xalan xsltc.trax.TemplatesImpl
1997765 - CVE-2021-39140 xstream: Infinite loop DoS via unsafe deserialization of sun.reflect.annotation.AnnotationInvocationHandler
1997769 - CVE-2021-39141 xstream: Arbitrary code execution via unsafe deserialization of com.sun.xml.internal.ws.client.sei.*
1997772 - CVE-2021-39144 xstream: Arbitrary code execution via unsafe deserialization of sun.tracing.*
1997775 - CVE-2021-39145 xstream: Arbitrary code execution via unsafe deserialization of com.sun.jndi.ldap.LdapBindingEnumeration
1997777 - CVE-2021-39146 xstream: Arbitrary code execution via unsafe deserialization of javax.swing.UIDefaults$ProxyLazyValue
1997779 - CVE-2021-39147 xstream: Arbitrary code execution via unsafe deserialization of com.sun.jndi.ldap.LdapSearchEnumeration
1997781 - CVE-2021-39148 xstream: Arbitrary code execution via unsafe deserialization of com.sun.jndi.toolkit.dir.ContextEnumerator
1997784 - CVE-2021-39149 xstream: Arbitrary code execution via unsafe deserialization of com.sun.corba.*
1997786 - CVE-2021-39150 xstream: Server-side request forgery (SSRF) via unsafe deserialization of com.sun.xml.internal.ws.client.sei.*
1997791 - CVE-2021-39151 xstream: Arbitrary code execution via unsafe deserialization of com.sun.jndi.ldap.LdapBindingEnumeration
1997793 - CVE-2021-39152 xstream: Server-side request forgery (SSRF) via unsafe deserialization of jdk.nashorn.internal.runtime.Source$URLData
1997795 - CVE-2021-39153 xstream: Arbitrary code execution via unsafe deserialization of Xalan xsltc.trax.TemplatesImpl
1997801 - CVE-2021-39154 xstream: Arbitrary code execution via unsafe deserialization of javax.swing.UIDefaults$ProxyLazyValue