-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

====================================================================                   Red Hat Security Advisory

Synopsis:          Important: xstream security update
Advisory ID:       RHSA-2021:3956-01
Product:           Red Hat Enterprise Linux
Advisory URL:      https://access.redhat.com/errata/RHSA-2021:3956
Issue date:        2021-10-25
CVE Names:         CVE-2021-39139 CVE-2021-39140 CVE-2021-39141 
                   CVE-2021-39144 CVE-2021-39145 CVE-2021-39146 
                   CVE-2021-39147 CVE-2021-39148 CVE-2021-39149 
                   CVE-2021-39150 CVE-2021-39151 CVE-2021-39152 
                   CVE-2021-39153 CVE-2021-39154 
====================================================================
1. Summary:

An update for xstream is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Client Optional (v. 7) - noarch
Red Hat Enterprise Linux ComputeNode Optional (v. 7) - noarch
Red Hat Enterprise Linux Server Optional (v. 7) - noarch
Red Hat Enterprise Linux Workstation Optional (v. 7) - noarch

3. Description:

XStream is a Java XML serialization library to serialize objects to and
deserialize object from XML.

Security Fix(es):

* xstream: Arbitrary code execution via unsafe deserialization of Xalan
xsltc.trax.TemplatesImpl (CVE-2021-39139)

* xstream: Arbitrary code execution via unsafe deserialization of
com.sun.xml.internal.ws.client.sei.* (CVE-2021-39141)

* xstream: Arbitrary code execution via unsafe deserialization of
sun.tracing.* (CVE-2021-39144)

* xstream: Arbitrary code execution via unsafe deserialization of
com.sun.jndi.ldap.LdapBindingEnumeration (CVE-2021-39145)

* xstream: Arbitrary code execution via unsafe deserialization of
javax.swing.UIDefaults$ProxyLazyValue (CVE-2021-39146)

* xstream: Arbitrary code execution via unsafe deserialization of
com.sun.jndi.ldap.LdapSearchEnumeration (CVE-2021-39147)

* xstream: Arbitrary code execution via unsafe deserialization of
com.sun.jndi.toolkit.dir.ContextEnumerator (CVE-2021-39148)

* xstream: Arbitrary code execution via unsafe deserialization of
com.sun.corba.* (CVE-2021-39149)

* xstream: Server-side request forgery (SSRF) via unsafe deserialization of
com.sun.xml.internal.ws.client.sei.* (CVE-2021-39150)

* xstream: Arbitrary code execution via unsafe deserialization of
com.sun.jndi.ldap.LdapBindingEnumeration (CVE-2021-39151)

* xstream: Server-side request forgery (SSRF) via unsafe deserialization of
jdk.nashorn.internal.runtime.Source$URLData (CVE-2021-39152)

* xstream: Arbitrary code execution via unsafe deserialization of Xalan
xsltc.trax.TemplatesImpl (CVE-2021-39153)

* xstream: Arbitrary code execution via unsafe deserialization of
javax.swing.UIDefaults$ProxyLazyValue (CVE-2021-39154)

* xstream: Infinite loop DoS via unsafe deserialization of
sun.reflect.annotation.AnnotationInvocationHandler (CVE-2021-39140)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1997763 - CVE-2021-39139 xstream: Arbitrary code execution via unsafe deserialization of Xalan xsltc.trax.TemplatesImpl
1997765 - CVE-2021-39140 xstream: Infinite loop DoS via unsafe deserialization of sun.reflect.annotation.AnnotationInvocationHandler
1997769 - CVE-2021-39141 xstream: Arbitrary code execution via unsafe deserialization of com.sun.xml.internal.ws.client.sei.*
1997772 - CVE-2021-39144 xstream: Arbitrary code execution via unsafe deserialization of sun.tracing.*
1997775 - CVE-2021-39145 xstream: Arbitrary code execution via unsafe deserialization of com.sun.jndi.ldap.LdapBindingEnumeration
1997777 - CVE-2021-39146 xstream: Arbitrary code execution via unsafe deserialization of javax.swing.UIDefaults$ProxyLazyValue
1997779 - CVE-2021-39147 xstream: Arbitrary code execution via unsafe deserialization of com.sun.jndi.ldap.LdapSearchEnumeration
1997781 - CVE-2021-39148 xstream: Arbitrary code execution via unsafe deserialization of com.sun.jndi.toolkit.dir.ContextEnumerator
1997784 - CVE-2021-39149 xstream: Arbitrary code execution via unsafe deserialization of com.sun.corba.*
1997786 - CVE-2021-39150 xstream: Server-side request forgery (SSRF) via unsafe deserialization of com.sun.xml.internal.ws.client.sei.*
1997791 - CVE-2021-39151 xstream: Arbitrary code execution via unsafe deserialization of com.sun.jndi.ldap.LdapBindingEnumeration
1997793 - CVE-2021-39152 xstream: Server-side request forgery (SSRF) via unsafe deserialization of jdk.nashorn.internal.runtime.Source$URLData
1997795 - CVE-2021-39153 xstream: Arbitrary code execution via unsafe deserialization of Xalan xsltc.trax.TemplatesImpl
1997801 - CVE-2021-39154 xstream: Arbitrary code execution via unsafe deserialization of javax.swing.UIDefaults$ProxyLazyValue

6. Package List:

Red Hat Enterprise Linux Client Optional (v. 7):

Source:
xstream-1.3.1-16.el7_9.src.rpm

noarch:
xstream-1.3.1-16.el7_9.noarch.rpm
xstream-javadoc-1.3.1-16.el7_9.noarch.rpm

Red Hat Enterprise Linux ComputeNode Optional (v. 7):

Source:
xstream-1.3.1-16.el7_9.src.rpm

noarch:
xstream-1.3.1-16.el7_9.noarch.rpm
xstream-javadoc-1.3.1-16.el7_9.noarch.rpm

Red Hat Enterprise Linux Server Optional (v. 7):

Source:
xstream-1.3.1-16.el7_9.src.rpm

noarch:
xstream-1.3.1-16.el7_9.noarch.rpm
xstream-javadoc-1.3.1-16.el7_9.noarch.rpm

Red Hat Enterprise Linux Workstation Optional (v. 7):

Source:
xstream-1.3.1-16.el7_9.src.rpm

noarch:
xstream-1.3.1-16.el7_9.noarch.rpm
xstream-javadoc-1.3.1-16.el7_9.noarch.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2021-39139
https://access.redhat.com/security/cve/CVE-2021-39140
https://access.redhat.com/security/cve/CVE-2021-39141
https://access.redhat.com/security/cve/CVE-2021-39144
https://access.redhat.com/security/cve/CVE-2021-39145
https://access.redhat.com/security/cve/CVE-2021-39146
https://access.redhat.com/security/cve/CVE-2021-39147
https://access.redhat.com/security/cve/CVE-2021-39148
https://access.redhat.com/security/cve/CVE-2021-39149
https://access.redhat.com/security/cve/CVE-2021-39150
https://access.redhat.com/security/cve/CVE-2021-39151
https://access.redhat.com/security/cve/CVE-2021-39152
https://access.redhat.com/security/cve/CVE-2021-39153
https://access.redhat.com/security/cve/CVE-2021-39154
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2021 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBYXZT19zjgjWX9erEAQj7dQ/7BwGftBhVHmPUc5wPY4yrq2M8SLyD0Fcp
UcaQm7VrxmaY1VOBOFty6nlVcOLekne78lrbygRU+CQwf+hi7WblhAdEW+hYW6S3
z9KPn1Pb/8LfPy3wVeS89YYrzT3LgzobQZzsnCOXDwLSesXtIT03oJVwAdTFA8uM
Z3jU8hWM/Bl8i/lOylxrOQMhC4so9JPytF8aqe6J4g634t6Ynbl1n7HCyuwhE0KJ
grx9qp1tdUhRCLqbUs9qv2uGTkF4jqaPXGKLQIkvgAoZ7b9BaTo4iaEs3JPO6NvJ
ey21kgrjkqqOF0/9jGXaS1oUC9OC8YB0YcOpyif44exxnIoUTpYOmDfxBQmbi5cb
hRtySvC4fass8SaQvyYDTEeKBsUQkt5KG1cKrFGorE2jm4Bn3Kz/pFNJhsCUGbVX
U2iqP2zB4k5lg6+kvksylD/hC5jUAZXAp99R1xb7ZqgnDFe/2qQUHaONaoDbslhG
eGQ1EqtKQcTOXNacBeUQDxgqBTIMSPVHWFcABFSwztnpwY4fuoWyJuv3giCdls3m
uTG8k8vUegsGZyXQYT3nSm4VNxl2vmaql24S9sWuFdgXFc0N1zhTBKroYM1mI6Xr
eK7Ada4RdT7Ph8F3tSwK97qEMyzW6vi8tz50YRxoXIl42XeSQz+dd+WQoDXHEe7S
7bwP0bKULTg=p2kH
-----END PGP SIGNATURE-----

--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://listman.redhat.com/mailman/listinfo/rhsa-announce

RedHat: RHSA-2021-3956:01 Important: xstream security update

An update for xstream is now available for Red Hat Enterprise Linux 7

Summary

XStream is a Java XML serialization library to serialize objects to and deserialize object from XML.
Security Fix(es):
* xstream: Arbitrary code execution via unsafe deserialization of Xalan xsltc.trax.TemplatesImpl (CVE-2021-39139)
* xstream: Arbitrary code execution via unsafe deserialization of com.sun.xml.internal.ws.client.sei.* (CVE-2021-39141)
* xstream: Arbitrary code execution via unsafe deserialization of sun.tracing.* (CVE-2021-39144)
* xstream: Arbitrary code execution via unsafe deserialization of com.sun.jndi.ldap.LdapBindingEnumeration (CVE-2021-39145)
* xstream: Arbitrary code execution via unsafe deserialization of javax.swing.UIDefaults$ProxyLazyValue (CVE-2021-39146)
* xstream: Arbitrary code execution via unsafe deserialization of com.sun.jndi.ldap.LdapSearchEnumeration (CVE-2021-39147)
* xstream: Arbitrary code execution via unsafe deserialization of com.sun.jndi.toolkit.dir.ContextEnumerator (CVE-2021-39148)
* xstream: Arbitrary code execution via unsafe deserialization of com.sun.corba.* (CVE-2021-39149)
* xstream: Server-side request forgery (SSRF) via unsafe deserialization of com.sun.xml.internal.ws.client.sei.* (CVE-2021-39150)
* xstream: Arbitrary code execution via unsafe deserialization of com.sun.jndi.ldap.LdapBindingEnumeration (CVE-2021-39151)
* xstream: Server-side request forgery (SSRF) via unsafe deserialization of jdk.nashorn.internal.runtime.Source$URLData (CVE-2021-39152)
* xstream: Arbitrary code execution via unsafe deserialization of Xalan xsltc.trax.TemplatesImpl (CVE-2021-39153)
* xstream: Arbitrary code execution via unsafe deserialization of javax.swing.UIDefaults$ProxyLazyValue (CVE-2021-39154)
* xstream: Infinite loop DoS via unsafe deserialization of sun.reflect.annotation.AnnotationInvocationHandler (CVE-2021-39140)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Summary

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://access.redhat.com/articles/11258

References

https://access.redhat.com/security/cve/CVE-2021-39139 https://access.redhat.com/security/cve/CVE-2021-39140 https://access.redhat.com/security/cve/CVE-2021-39141 https://access.redhat.com/security/cve/CVE-2021-39144 https://access.redhat.com/security/cve/CVE-2021-39145 https://access.redhat.com/security/cve/CVE-2021-39146 https://access.redhat.com/security/cve/CVE-2021-39147 https://access.redhat.com/security/cve/CVE-2021-39148 https://access.redhat.com/security/cve/CVE-2021-39149 https://access.redhat.com/security/cve/CVE-2021-39150 https://access.redhat.com/security/cve/CVE-2021-39151 https://access.redhat.com/security/cve/CVE-2021-39152 https://access.redhat.com/security/cve/CVE-2021-39153 https://access.redhat.com/security/cve/CVE-2021-39154 https://access.redhat.com/security/updates/classification/#important

Package List

Red Hat Enterprise Linux Client Optional (v. 7):
Source: xstream-1.3.1-16.el7_9.src.rpm
noarch: xstream-1.3.1-16.el7_9.noarch.rpm xstream-javadoc-1.3.1-16.el7_9.noarch.rpm
Red Hat Enterprise Linux ComputeNode Optional (v. 7):
Source: xstream-1.3.1-16.el7_9.src.rpm
noarch: xstream-1.3.1-16.el7_9.noarch.rpm xstream-javadoc-1.3.1-16.el7_9.noarch.rpm
Red Hat Enterprise Linux Server Optional (v. 7):
Source: xstream-1.3.1-16.el7_9.src.rpm
noarch: xstream-1.3.1-16.el7_9.noarch.rpm xstream-javadoc-1.3.1-16.el7_9.noarch.rpm
Red Hat Enterprise Linux Workstation Optional (v. 7):
Source: xstream-1.3.1-16.el7_9.src.rpm
noarch: xstream-1.3.1-16.el7_9.noarch.rpm xstream-javadoc-1.3.1-16.el7_9.noarch.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/

Severity

Advisory ID: RHSA-2021:3956-01

Product: Red Hat Enterprise Linux

Advisory URL: https://access.redhat.com/errata/RHSA-2021:3956

Issued Date: : 2021-10-25

CVE Names: CVE-2021-39139 CVE-2021-39140 CVE-2021-39141 CVE-2021-39144 CVE-2021-39145 CVE-2021-39146 CVE-2021-39147 CVE-2021-39148 CVE-2021-39149 CVE-2021-39150 CVE-2021-39151 CVE-2021-39152 CVE-2021-39153 CVE-2021-39154

Topic

An update for xstream is now available for Red Hat Enterprise Linux 7.Red Hat Product Security has rated this update as having a security impactof Important. A Common Vulnerability Scoring System (CVSS) base score,which gives a detailed severity rating, is available for each vulnerabilityfrom the CVE link(s) in the References section.

Topic

Relevant Releases Architectures

Red Hat Enterprise Linux Client Optional (v. 7) - noarch

Red Hat Enterprise Linux ComputeNode Optional (v. 7) - noarch

Red Hat Enterprise Linux Server Optional (v. 7) - noarch

Red Hat Enterprise Linux Workstation Optional (v. 7) - noarch

Bugs Fixed

1997763 - CVE-2021-39139 xstream: Arbitrary code execution via unsafe deserialization of Xalan xsltc.trax.TemplatesImpl

1997765 - CVE-2021-39140 xstream: Infinite loop DoS via unsafe deserialization of sun.reflect.annotation.AnnotationInvocationHandler

1997769 - CVE-2021-39141 xstream: Arbitrary code execution via unsafe deserialization of com.sun.xml.internal.ws.client.sei.*

1997772 - CVE-2021-39144 xstream: Arbitrary code execution via unsafe deserialization of sun.tracing.*

1997775 - CVE-2021-39145 xstream: Arbitrary code execution via unsafe deserialization of com.sun.jndi.ldap.LdapBindingEnumeration

1997777 - CVE-2021-39146 xstream: Arbitrary code execution via unsafe deserialization of javax.swing.UIDefaults$ProxyLazyValue

1997779 - CVE-2021-39147 xstream: Arbitrary code execution via unsafe deserialization of com.sun.jndi.ldap.LdapSearchEnumeration

1997781 - CVE-2021-39148 xstream: Arbitrary code execution via unsafe deserialization of com.sun.jndi.toolkit.dir.ContextEnumerator

1997784 - CVE-2021-39149 xstream: Arbitrary code execution via unsafe deserialization of com.sun.corba.*

1997786 - CVE-2021-39150 xstream: Server-side request forgery (SSRF) via unsafe deserialization of com.sun.xml.internal.ws.client.sei.*

1997791 - CVE-2021-39151 xstream: Arbitrary code execution via unsafe deserialization of com.sun.jndi.ldap.LdapBindingEnumeration

1997793 - CVE-2021-39152 xstream: Server-side request forgery (SSRF) via unsafe deserialization of jdk.nashorn.internal.runtime.Source$URLData

1997795 - CVE-2021-39153 xstream: Arbitrary code execution via unsafe deserialization of Xalan xsltc.trax.TemplatesImpl

1997801 - CVE-2021-39154 xstream: Arbitrary code execution via unsafe deserialization of javax.swing.UIDefaults$ProxyLazyValue

RedHat: RHSA-2021-3956:01 Important: xstream security update

Summary

Summary

Solution

References

Package List

Topic

Topic

Relevant Releases Architectures

Bugs Fixed

Related News

Get the Latest News & Insights

News

Advisories

HOWTOs

Features

About Us

Powered By