Source: libxstream-java Version: 1.4.15-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerabilities were published for libxstream-java. CVE-2021-21341[0]: | XStream is a Java library to serialize objects to XML and back again. | In XStream before version 1.4.16, there is vulnerability which may | allow a remote attacker to allocate 100% CPU time on the target system | depending on CPU type or parallel execution of such a payload | resulting in a denial of service only by manipulating the processed | input stream. No user is affected who followed the recommendation to | setup XStream's security framework with a whitelist limited to the | minimal required types. If you rely on XStream's default blacklist of | the Security Framework, you will have to use at least version 1.4.16. CVE-2021-21342[1]: | XStream is a Java library to serialize objects to XML and back again. | In XStream before version 1.4.16, there is a vulnerability where the | processed stream at unmarshalling time contains type information to | recreate the formerly written objects. XStream creates therefore new | instances based on these type information. An attacker can manipulate | the processed input stream and replace or inject objects, that result | in a server-side forgery request. No user is affected, who followed | the recommendation to setup XStream's security framework with a | whitelist limited to the minimal required types. If you rely on | XStream's default blacklist of the Security Framework, you will have | to use at least version 1.4.16. CVE-2021-21343[2]: | XStream is a Java library to serialize objects to XML and back again. | In XStream before version 1.4.16, there is a vulnerability where the | processed stream at unmarshalling time contains type information to | recreate the formerly written objects. XStream creates therefore new | instances based on these type information. An attacker can manipulate | the processed input stream and replace or inject objects, that result | in the deletion of a file on the local host. No user is affected, who | followed the recommendation to setup XStream's security framework with | a whitelist limited to the minimal required types. If you rely on | XStream's default blacklist of the Security Framework, you will have | to use at least version 1.4.16. CVE-2021-21344[3]: | XStream is a Java library to serialize objects to XML and back again. | In XStream before version 1.4.16, there is a vulnerability which may | allow a remote attacker to load and execute arbitrary code from a | remote host only by manipulating the processed input stream. No user | is affected, who followed the recommendation to setup XStream's | security framework with a whitelist limited to the minimal required | types. If you rely on XStream's default blacklist of the Security | Framework, you will have to use at least version 1.4.16. CVE-2021-21345[4]: | XStream is a Java library to serialize objects to XML and back again. | In XStream before version 1.4.16, there is a vulnerability which may | allow a remote attacker who has sufficient rights to execute commands | of the host only by manipulating the processed input stream. No user | is affected, who followed the recommendation to setup XStream's | security framework with a whitelist limited to the minimal required | types. If you rely on XStream's default blacklist of the Security | Framework, you will have to use at least version 1.4.16. CVE-2021-21346[5]: | XStream is a Java library to serialize objects to XML and back again. | In XStream before version 1.4.16, there is a vulnerability which may | allow a remote attacker to load and execute arbitrary code from a | remote host only by manipulating the processed input stream. No user | is affected, who followed the recommendation to setup XStream's | security framework with a whitelist limited to the minimal required | types. If you rely on XStream's default blacklist of the Security | Framework, you will have to use at least version 1.4.16. CVE-2021-21347[6]: | XStream is a Java library to serialize objects to XML and back again. | In XStream before version 1.4.16, there is a vulnerability which may | allow a remote attacker to load and execute arbitrary code from a | remote host only by manipulating the processed input stream. No user | is affected, who followed the recommendation to setup XStream's | security framework with a whitelist limited to the minimal required | types. If you rely on XStream's default blacklist of the Security | Framework, you will have to use at least version 1.4.16. CVE-2021-21348[7]: | XStream is a Java library to serialize objects to XML and back again. | In XStream before version 1.4.16, there is a vulnerability which may | allow a remote attacker to occupy a thread that consumes maximum CPU | time and will never return. No user is affected, who followed the | recommendation to setup XStream's security framework with a whitelist | limited to the minimal required types. If you rely on XStream's | default blacklist of the Security Framework, you will have to use at | least version 1.4.16. CVE-2021-21349[8]: | XStream is a Java library to serialize objects to XML and back again. | In XStream before version 1.4.16, there is a vulnerability which may | allow a remote attacker to request data from internal resources that | are not publicly available only by manipulating the processed input | stream. No user is affected, who followed the recommendation to setup | XStream's security framework with a whitelist limited to the minimal | required types. If you rely on XStream's default blacklist of the | Security Framework, you will have to use at least version 1.4.16. CVE-2021-21350[9]: | XStream is a Java library to serialize objects to XML and back again. | In XStream before version 1.4.16, there is a vulnerability which may | allow a remote attacker to execute arbitrary code only by manipulating | the processed input stream. No user is affected, who followed the | recommendation to setup XStream's security framework with a whitelist | limited to the minimal required types. If you rely on XStream's | default blacklist of the Security Framework, you will have to use at | least version 1.4.16. CVE-2021-21351[10]: | XStream is a Java library to serialize objects to XML and back again. | In XStream before version 1.4.16, there is a vulnerability may allow a | remote attacker to load and execute arbitrary code from a remote host | only by manipulating the processed input stream. No user is affected, | who followed the recommendation to setup XStream's security framework | with a whitelist limited to the minimal required types. If you rely on | XStream's default blacklist of the Security Framework, you will have | to use at least version 1.4.16. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-21341 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21341 [1] https://security-tracker.debian.org/tracker/CVE-2021-21342 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21342 [2] https://security-tracker.debian.org/tracker/CVE-2021-21343 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21343 [3] https://security-tracker.debian.org/tracker/CVE-2021-21344 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21344 [4] https://security-tracker.debian.org/tracker/CVE-2021-21345 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21345 [5] https://security-tracker.debian.org/tracker/CVE-2021-21346 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21346 [6] https://security-tracker.debian.org/tracker/CVE-2021-21347 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21347 [7] https://security-tracker.debian.org/tracker/CVE-2021-21348 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21348 [8] https://security-tracker.debian.org/tracker/CVE-2021-21349 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21349 [9] https://security-tracker.debian.org/tracker/CVE-2021-21350 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21350 [10] https://security-tracker.debian.org/tracker/CVE-2021-21351 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21351 Regards, Salvatore
