Alerts This Week
Warning Icon 1 1,394
Alerts This Week
Warning Icon 1 1,394

Ubuntu 16.04 LTS: USN-6978-1 Critical: XStream Remote Code Execution

ubuntu
Calendar Grey August 22, 2024
Dist Ubuntu Esm H88
Solutions addressing several libxstream-java vulnerabilities impacting Ubuntu distributions and associated threats are outlined here.
Several security issues were fixed in XStream.

Summary

Several security issues were fixed in XStream.

Software Description:

- libxstream-java: Java library to serialize objects to XML and back again

Details:

It was discovered that XStream incorrectly handled parsing of certain

crafted XML documents. A remote attacker could possibly use this issue to

read arbitrary files. (CVE-2016-3674)

Zhihong Tian and Hui Lu found that XStream was vulnerable to remote code

execution. A remote attacker could run arbitrary shell commands by

manipulating the processed input stream. (CVE-2020-26217)

It was discovered that XStream was vulnerable to server-side forgery

attacks. A remote attacker could request data from internal resources

that are not publicly available only by manipulating the processed input

stream. (CVE-2020-26258)

It was discovered that XStream was vulnerable to arbitrary file deletion

on the local host. A remote attacker could use this to delete arbitrary

known files on the host as long as the executing pro...

Read the Full Advisory

Update Instructions

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 16.04 LTS
   libxstream-java                 1.4.8-1ubuntu0.1+esm3
                                   Available with Ubuntu Pro

Ubuntu 14.04 LTS
   libxstream-java                 1.4.7-1ubuntu0.1+esm2
                                   Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References

https://ubuntu.com/security/notices/USN-6978-1

CVE-2016-3674, CVE-2020-26217, CVE-2020-26258, CVE-2020-26259,

CVE-2021-21341, CVE-2021-21342, CVE-2021-21343, CVE-2021-21344,

CVE-2021-21345, CVE-2021-21346, CVE-2021-21347, CVE-2021-21348,

CVE-2021-21349, CVE-2021-21350, CVE-2021-21351

Severity
critical
Lowest
Low
Medium
High
Critical

Ubuntu Security Notice USN-6978-1

Package Information

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here