Red Hat Security Advisory 2021-3956-01

Red Hat Security Advisory 2021-3956-01: Posted Oct 25, 2021; Authored by Red Hat | Site access.redhat.com; Red Hat Security Advisory 2021-3956-01 - XStream is a Java XML serialization library to serialize objects to and deserialize object from XML. Issues addressed include code execution, denial of service, and deserialization vulnerabilities.; tags | advisory, java, denial of service, vulnerability, code execution; systems | linux, redhat; advisories | CVE-2021-39139, CVE-2021-39140, CVE-2021-39141, CVE-2021-39144, CVE-2021-39145, CVE-2021-39146, CVE-2021-39147, CVE-2021-39148, CVE-2021-39149, CVE-2021-39150, CVE-2021-39151, CVE-2021-39152, CVE-2021-39153, CVE-2021-39154; SHA-256 | 6103d3fe2e92cf3b3ffb936ca863973bfc1fa8245666759a1ff144ba9cb97f2c; Download | Favorite | View

Red Hat Security Advisory 2021-3956-01

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: xstream security update
Advisory ID:       RHSA-2021:3956-01
Product:           Red Hat Enterprise Linux
Advisory URL:      https://access.redhat.com/errata/RHSA-2021:3956
Issue date:        2021-10-25
CVE Names:         CVE-2021-39139 CVE-2021-39140 CVE-2021-39141 
                   CVE-2021-39144 CVE-2021-39145 CVE-2021-39146 
                   CVE-2021-39147 CVE-2021-39148 CVE-2021-39149 
                   CVE-2021-39150 CVE-2021-39151 CVE-2021-39152 
                   CVE-2021-39153 CVE-2021-39154 
=====================================================================

1. Summary:

An update for xstream is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Client Optional (v. 7) - noarch
Red Hat Enterprise Linux ComputeNode Optional (v. 7) - noarch
Red Hat Enterprise Linux Server Optional (v. 7) - noarch
Red Hat Enterprise Linux Workstation Optional (v. 7) - noarch

3. Description:

XStream is a Java XML serialization library to serialize objects to and
deserialize object from XML.

Security Fix(es):

* xstream: Arbitrary code execution via unsafe deserialization of Xalan
xsltc.trax.TemplatesImpl (CVE-2021-39139)

* xstream: Arbitrary code execution via unsafe deserialization of
com.sun.xml.internal.ws.client.sei.* (CVE-2021-39141)

* xstream: Arbitrary code execution via unsafe deserialization of
sun.tracing.* (CVE-2021-39144)

* xstream: Arbitrary code execution via unsafe deserialization of
com.sun.jndi.ldap.LdapBindingEnumeration (CVE-2021-39145)

* xstream: Arbitrary code execution via unsafe deserialization of
javax.swing.UIDefaults$ProxyLazyValue (CVE-2021-39146)

* xstream: Arbitrary code execution via unsafe deserialization of
com.sun.jndi.ldap.LdapSearchEnumeration (CVE-2021-39147)

* xstream: Arbitrary code execution via unsafe deserialization of
com.sun.jndi.toolkit.dir.ContextEnumerator (CVE-2021-39148)

* xstream: Arbitrary code execution via unsafe deserialization of
com.sun.corba.* (CVE-2021-39149)

* xstream: Server-side request forgery (SSRF) via unsafe deserialization of
com.sun.xml.internal.ws.client.sei.* (CVE-2021-39150)

* xstream: Arbitrary code execution via unsafe deserialization of
com.sun.jndi.ldap.LdapBindingEnumeration (CVE-2021-39151)

* xstream: Server-side request forgery (SSRF) via unsafe deserialization of
jdk.nashorn.internal.runtime.Source$URLData (CVE-2021-39152)

* xstream: Arbitrary code execution via unsafe deserialization of Xalan
xsltc.trax.TemplatesImpl (CVE-2021-39153)

* xstream: Arbitrary code execution via unsafe deserialization of
javax.swing.UIDefaults$ProxyLazyValue (CVE-2021-39154)

* xstream: Infinite loop DoS via unsafe deserialization of
sun.reflect.annotation.AnnotationInvocationHandler (CVE-2021-39140)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1997763 - CVE-2021-39139 xstream: Arbitrary code execution via unsafe deserialization of Xalan xsltc.trax.TemplatesImpl
1997765 - CVE-2021-39140 xstream: Infinite loop DoS via unsafe deserialization of sun.reflect.annotation.AnnotationInvocationHandler
1997769 - CVE-2021-39141 xstream: Arbitrary code execution via unsafe deserialization of com.sun.xml.internal.ws.client.sei.*
1997772 - CVE-2021-39144 xstream: Arbitrary code execution via unsafe deserialization of sun.tracing.*
1997775 - CVE-2021-39145 xstream: Arbitrary code execution via unsafe deserialization of com.sun.jndi.ldap.LdapBindingEnumeration
1997777 - CVE-2021-39146 xstream: Arbitrary code execution via unsafe deserialization of javax.swing.UIDefaults$ProxyLazyValue
1997779 - CVE-2021-39147 xstream: Arbitrary code execution via unsafe deserialization of com.sun.jndi.ldap.LdapSearchEnumeration
1997781 - CVE-2021-39148 xstream: Arbitrary code execution via unsafe deserialization of com.sun.jndi.toolkit.dir.ContextEnumerator
1997784 - CVE-2021-39149 xstream: Arbitrary code execution via unsafe deserialization of com.sun.corba.*
1997786 - CVE-2021-39150 xstream: Server-side request forgery (SSRF) via unsafe deserialization of com.sun.xml.internal.ws.client.sei.*
1997791 - CVE-2021-39151 xstream: Arbitrary code execution via unsafe deserialization of com.sun.jndi.ldap.LdapBindingEnumeration
1997793 - CVE-2021-39152 xstream: Server-side request forgery (SSRF) via unsafe deserialization of jdk.nashorn.internal.runtime.Source$URLData
1997795 - CVE-2021-39153 xstream: Arbitrary code execution via unsafe deserialization of Xalan xsltc.trax.TemplatesImpl
1997801 - CVE-2021-39154 xstream: Arbitrary code execution via unsafe deserialization of javax.swing.UIDefaults$ProxyLazyValue

6. Package List:

Red Hat Enterprise Linux Client Optional (v. 7):

Source:
xstream-1.3.1-16.el7_9.src.rpm

noarch:
xstream-1.3.1-16.el7_9.noarch.rpm
xstream-javadoc-1.3.1-16.el7_9.noarch.rpm

Red Hat Enterprise Linux ComputeNode Optional (v. 7):

Source:
xstream-1.3.1-16.el7_9.src.rpm

noarch:
xstream-1.3.1-16.el7_9.noarch.rpm
xstream-javadoc-1.3.1-16.el7_9.noarch.rpm

Red Hat Enterprise Linux Server Optional (v. 7):

Source:
xstream-1.3.1-16.el7_9.src.rpm

noarch:
xstream-1.3.1-16.el7_9.noarch.rpm
xstream-javadoc-1.3.1-16.el7_9.noarch.rpm

Red Hat Enterprise Linux Workstation Optional (v. 7):

Source:
xstream-1.3.1-16.el7_9.src.rpm

noarch:
xstream-1.3.1-16.el7_9.noarch.rpm
xstream-javadoc-1.3.1-16.el7_9.noarch.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2021-39139
https://access.redhat.com/security/cve/CVE-2021-39140
https://access.redhat.com/security/cve/CVE-2021-39141
https://access.redhat.com/security/cve/CVE-2021-39144
https://access.redhat.com/security/cve/CVE-2021-39145
https://access.redhat.com/security/cve/CVE-2021-39146
https://access.redhat.com/security/cve/CVE-2021-39147
https://access.redhat.com/security/cve/CVE-2021-39148
https://access.redhat.com/security/cve/CVE-2021-39149
https://access.redhat.com/security/cve/CVE-2021-39150
https://access.redhat.com/security/cve/CVE-2021-39151
https://access.redhat.com/security/cve/CVE-2021-39152
https://access.redhat.com/security/cve/CVE-2021-39153
https://access.redhat.com/security/cve/CVE-2021-39154
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2021 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBYXZT19zjgjWX9erEAQj7dQ/7BwGftBhVHmPUc5wPY4yrq2M8SLyD0Fcp
UcaQm7VrxmaY1VOBOFty6nlVcOLekne78lrbygRU+CQwf+hi7WblhAdEW+hYW6S3
z9KPn1Pb/8LfPy3wVeS89YYrzT3LgzobQZzsnCOXDwLSesXtIT03oJVwAdTFA8uM
Z3jU8hWM/Bl8i/lOylxrOQMhC4so9JPytF8aqe6J4g634t6Ynbl1n7HCyuwhE0KJ
grx9qp1tdUhRCLqbUs9qv2uGTkF4jqaPXGKLQIkvgAoZ7b9BaTo4iaEs3JPO6NvJ
ey21kgrjkqqOF0/9jGXaS1oUC9OC8YB0YcOpyif44exxnIoUTpYOmDfxBQmbi5cb
hRtySvC4fass8SaQvyYDTEeKBsUQkt5KG1cKrFGorE2jm4Bn3Kz/pFNJhsCUGbVX
U2iqP2zB4k5lg6+kvksylD/hC5jUAZXAp99R1xb7ZqgnDFe/2qQUHaONaoDbslhG
eGQ1EqtKQcTOXNacBeUQDxgqBTIMSPVHWFcABFSwztnpwY4fuoWyJuv3giCdls3m
uTG8k8vUegsGZyXQYT3nSm4VNxl2vmaql24S9sWuFdgXFc0N1zhTBKroYM1mI6Xr
eK7Ada4RdT7Ph8F3tSwK97qEMyzW6vi8tz50YRxoXIl42XeSQz+dd+WQoDXHEe7S
7bwP0bKULTg=
=p2kH
-----END PGP SIGNATURE-----

--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Top Authors In Last 30 Days

Red Hat 179 files
Ubuntu 58 files
Debian 26 files
LiquidWorm 11 files
Valentin Lobstein 11 files
nu11secur1ty 8 files
Apple 6 files
Google Security Research 5 files
E1.Coders 4 files
malvuln 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,014)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,227)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,501)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,439)
UNIX (9,391)
UnixWare (187)
Windows (6,649)
Other

Red Hat Security Advisory 2021-3956-01

Red Hat Security Advisory 2021-3956-01

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Red Hat Security Advisory 2021-3956-01

Share This

Red Hat Security Advisory 2021-3956-01

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems