Bug#985843: libxstream-java: CVE-2021-21341 CVE-2021-21342 CVE-2021-21343 CVE-2021-21344 CVE-2021-21345 CVE-2021-21346 CVE-2021-21347 CVE-2021-21348 CVE-2021-21349 CVE-2021-21350 CVE-2021-21351

Salvatore Bonaccorso carnil at debian.org
Wed Mar 24 18:28:01 GMT 2021 

Source: libxstream-java
Version: 1.4.15-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>

Hi,

The following vulnerabilities were published for libxstream-java.

CVE-2021-21341[0]:
| XStream is a Java library to serialize objects to XML and back again.
| In XStream before version 1.4.16, there is vulnerability which may
| allow a remote attacker to allocate 100% CPU time on the target system
| depending on CPU type or parallel execution of such a payload
| resulting in a denial of service only by manipulating the processed
| input stream. No user is affected who followed the recommendation to
| setup XStream's security framework with a whitelist limited to the
| minimal required types. If you rely on XStream's default blacklist of
| the Security Framework, you will have to use at least version 1.4.16.


CVE-2021-21342[1]:
| XStream is a Java library to serialize objects to XML and back again.
| In XStream before version 1.4.16, there is a vulnerability where the
| processed stream at unmarshalling time contains type information to
| recreate the formerly written objects. XStream creates therefore new
| instances based on these type information. An attacker can manipulate
| the processed input stream and replace or inject objects, that result
| in a server-side forgery request. No user is affected, who followed
| the recommendation to setup XStream's security framework with a
| whitelist limited to the minimal required types. If you rely on
| XStream's default blacklist of the Security Framework, you will have
| to use at least version 1.4.16.


CVE-2021-21343[2]:
| XStream is a Java library to serialize objects to XML and back again.
| In XStream before version 1.4.16, there is a vulnerability where the
| processed stream at unmarshalling time contains type information to
| recreate the formerly written objects. XStream creates therefore new
| instances based on these type information. An attacker can manipulate
| the processed input stream and replace or inject objects, that result
| in the deletion of a file on the local host. No user is affected, who
| followed the recommendation to setup XStream's security framework with
| a whitelist limited to the minimal required types. If you rely on
| XStream's default blacklist of the Security Framework, you will have
| to use at least version 1.4.16.


CVE-2021-21344[3]:
| XStream is a Java library to serialize objects to XML and back again.
| In XStream before version 1.4.16, there is a vulnerability which may
| allow a remote attacker to load and execute arbitrary code from a
| remote host only by manipulating the processed input stream. No user
| is affected, who followed the recommendation to setup XStream's
| security framework with a whitelist limited to the minimal required
| types. If you rely on XStream's default blacklist of the Security
| Framework, you will have to use at least version 1.4.16.


CVE-2021-21345[4]:
| XStream is a Java library to serialize objects to XML and back again.
| In XStream before version 1.4.16, there is a vulnerability which may
| allow a remote attacker who has sufficient rights to execute commands
| of the host only by manipulating the processed input stream. No user
| is affected, who followed the recommendation to setup XStream's
| security framework with a whitelist limited to the minimal required
| types. If you rely on XStream's default blacklist of the Security
| Framework, you will have to use at least version 1.4.16.


CVE-2021-21346[5]:
| XStream is a Java library to serialize objects to XML and back again.
| In XStream before version 1.4.16, there is a vulnerability which may
| allow a remote attacker to load and execute arbitrary code from a
| remote host only by manipulating the processed input stream. No user
| is affected, who followed the recommendation to setup XStream's
| security framework with a whitelist limited to the minimal required
| types. If you rely on XStream's default blacklist of the Security
| Framework, you will have to use at least version 1.4.16.


CVE-2021-21347[6]:
| XStream is a Java library to serialize objects to XML and back again.
| In XStream before version 1.4.16, there is a vulnerability which may
| allow a remote attacker to load and execute arbitrary code from a
| remote host only by manipulating the processed input stream. No user
| is affected, who followed the recommendation to setup XStream's
| security framework with a whitelist limited to the minimal required
| types. If you rely on XStream's default blacklist of the Security
| Framework, you will have to use at least version 1.4.16.


CVE-2021-21348[7]:
| XStream is a Java library to serialize objects to XML and back again.
| In XStream before version 1.4.16, there is a vulnerability which may
| allow a remote attacker to occupy a thread that consumes maximum CPU
| time and will never return. No user is affected, who followed the
| recommendation to setup XStream's security framework with a whitelist
| limited to the minimal required types. If you rely on XStream's
| default blacklist of the Security Framework, you will have to use at
| least version 1.4.16.


CVE-2021-21349[8]:
| XStream is a Java library to serialize objects to XML and back again.
| In XStream before version 1.4.16, there is a vulnerability which may
| allow a remote attacker to request data from internal resources that
| are not publicly available only by manipulating the processed input
| stream. No user is affected, who followed the recommendation to setup
| XStream's security framework with a whitelist limited to the minimal
| required types. If you rely on XStream's default blacklist of the
| Security Framework, you will have to use at least version 1.4.16.


CVE-2021-21350[9]:
| XStream is a Java library to serialize objects to XML and back again.
| In XStream before version 1.4.16, there is a vulnerability which may
| allow a remote attacker to execute arbitrary code only by manipulating
| the processed input stream. No user is affected, who followed the
| recommendation to setup XStream's security framework with a whitelist
| limited to the minimal required types. If you rely on XStream's
| default blacklist of the Security Framework, you will have to use at
| least version 1.4.16.


CVE-2021-21351[10]:
| XStream is a Java library to serialize objects to XML and back again.
| In XStream before version 1.4.16, there is a vulnerability may allow a
| remote attacker to load and execute arbitrary code from a remote host
| only by manipulating the processed input stream. No user is affected,
| who followed the recommendation to setup XStream's security framework
| with a whitelist limited to the minimal required types. If you rely on
| XStream's default blacklist of the Security Framework, you will have
| to use at least version 1.4.16.


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2021-21341
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21341
[1] https://security-tracker.debian.org/tracker/CVE-2021-21342
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21342
[2] https://security-tracker.debian.org/tracker/CVE-2021-21343
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21343
[3] https://security-tracker.debian.org/tracker/CVE-2021-21344
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21344
[4] https://security-tracker.debian.org/tracker/CVE-2021-21345
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21345
[5] https://security-tracker.debian.org/tracker/CVE-2021-21346
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21346
[6] https://security-tracker.debian.org/tracker/CVE-2021-21347
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21347
[7] https://security-tracker.debian.org/tracker/CVE-2021-21348
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21348
[8] https://security-tracker.debian.org/tracker/CVE-2021-21349
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21349
[9] https://security-tracker.debian.org/tracker/CVE-2021-21350
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21350
[10] https://security-tracker.debian.org/tracker/CVE-2021-21351
     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21351

Regards,
Salvatore

More information about the pkg-java-maintainers mailing list