openEuler update for xstream



Published: 2021-09-08
Risk Critical
Patch available YES
Number of vulnerabilities 14
CVE-ID CVE-2021-39139
CVE-2021-39141
CVE-2021-39146
CVE-2021-39144
CVE-2021-39145
CVE-2021-39153
CVE-2021-39148
CVE-2021-39150
CVE-2021-39152
CVE-2021-39147
CVE-2021-39140
CVE-2021-39154
CVE-2021-39149
CVE-2021-39151
CWE-ID CWE-20
CWE-502
CWE-94
CWE-918
Exploitation vector Network
Public exploit Public exploit code for vulnerability #2 is available.
Vulnerability #4 is being exploited in the wild.
Public exploit code for vulnerability #8 is available.
Public exploit code for vulnerability #9 is available.
Vulnerable software
Subscribe 		openEuler
Operating systems & Components / Operating system

xstream-parent
Operating systems & Components / Operating system package or component

xstream-javadoc
Operating systems & Components / Operating system package or component

xstream-benchmark
Operating systems & Components / Operating system package or component

xstream-hibernate
Operating systems & Components / Operating system package or component

xstream
Operating systems & Components / Operating system package or component

Vendor openEuler

Security Bulletin

This security bulletin contains information about 14 vulnerabilities.

1) Improper input validation

EUVDB-ID: #VU59813

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-39139

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote authenticated user to execute arbitrary code.

The vulnerability exists due to improper input validation within the Tools (XStream) component in Oracle Utilities Testing Accelerator. A remote authenticated user can exploit this vulnerability to execute arbitrary code.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

openEuler: 20.03 LTS SP1 - 20.03 LTS SP2

xstream-parent: before 1.4.18-1

xstream-javadoc: before 1.4.18-1

xstream-benchmark: before 1.4.18-1

xstream-hibernate: before 1.4.18-1

xstream: before 1.4.18-1

External links

http://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2021-1337


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Deserialization of Untrusted Data

EUVDB-ID: #VU73946

Risk: High

CVSSv3.1: 8.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C]

CVE-ID: CVE-2021-39141

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

openEuler: 20.03 LTS SP1 - 20.03 LTS SP2

xstream-parent: before 1.4.18-1

xstream-javadoc: before 1.4.18-1

xstream-benchmark: before 1.4.18-1

xstream-hibernate: before 1.4.18-1

xstream: before 1.4.18-1

External links

http://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2021-1337


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

3) Deserialization of Untrusted Data

EUVDB-ID: #VU73949

Risk: High

CVSSv3.1: 7.1 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-39146

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

openEuler: 20.03 LTS SP1 - 20.03 LTS SP2

xstream-parent: before 1.4.18-1

xstream-javadoc: before 1.4.18-1

xstream-benchmark: before 1.4.18-1

xstream-hibernate: before 1.4.18-1

xstream: before 1.4.18-1

External links

http://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2021-1337


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Code Injection

EUVDB-ID: #VU68720

Risk: Critical

CVSSv3.1: 9.4 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C]

CVE-ID: CVE-2021-39144

CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to improper input validation in xStream. A remote attacker can pass specially crafted XML data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

openEuler: 20.03 LTS SP1 - 20.03 LTS SP2

xstream-parent: before 1.4.18-1

xstream-javadoc: before 1.4.18-1

xstream-benchmark: before 1.4.18-1

xstream-hibernate: before 1.4.18-1

xstream: before 1.4.18-1

External links

http://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2021-1337


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

Yes. This vulnerability is being exploited in the wild.

5) Deserialization of Untrusted Data

EUVDB-ID: #VU73948

Risk: High

CVSSv3.1: 7.1 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-39145

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

openEuler: 20.03 LTS SP1 - 20.03 LTS SP2

xstream-parent: before 1.4.18-1

xstream-javadoc: before 1.4.18-1

xstream-benchmark: before 1.4.18-1

xstream-hibernate: before 1.4.18-1

xstream: before 1.4.18-1

External links

http://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2021-1337


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) Improper input validation

EUVDB-ID: #VU60089

Risk: High

CVSSv3.1: 7.4 [CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-39153

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote authenticated user to execute arbitrary code.

The vulnerability exists due to improper input validation within the Signaling (XStream) component in Oracle Communications Cloud Native Core Policy. A remote authenticated user can exploit this vulnerability to execute arbitrary code.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

openEuler: 20.03 LTS SP1 - 20.03 LTS SP2

xstream-parent: before 1.4.18-1

xstream-javadoc: before 1.4.18-1

xstream-benchmark: before 1.4.18-1

xstream-hibernate: before 1.4.18-1

xstream: before 1.4.18-1

External links

http://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2021-1337


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

7) Deserialization of Untrusted Data

EUVDB-ID: #VU73951

Risk: High

CVSSv3.1: 7.1 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-39148

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

openEuler: 20.03 LTS SP1 - 20.03 LTS SP2

xstream-parent: before 1.4.18-1

xstream-javadoc: before 1.4.18-1

xstream-benchmark: before 1.4.18-1

xstream-hibernate: before 1.4.18-1

xstream: before 1.4.18-1

External links

http://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2021-1337


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

8) Server-Side Request Forgery (SSRF)

EUVDB-ID: #VU73955

Risk: High

CVSSv3.1: 7.8 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N/E:P/RL:O/RC:C]

CVE-ID: CVE-2021-39150

CWE-ID: CWE-918 - Server-Side Request Forgery (SSRF)

Exploit availability: Yes

Description

The disclosed vulnerability allows a remote attacker to perform SSRF attacks.

The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can send a specially crafted HTTP request and trick the application to initiate requests to arbitrary systems.

Successful exploitation of this vulnerability may allow a remote attacker gain access to sensitive data, located in the local network or send malicious requests to other servers from the vulnerable system.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

openEuler: 20.03 LTS SP1 - 20.03 LTS SP2

xstream-parent: before 1.4.18-1

xstream-javadoc: before 1.4.18-1

xstream-benchmark: before 1.4.18-1

xstream-hibernate: before 1.4.18-1

xstream: before 1.4.18-1

External links

http://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2021-1337


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

9) Server-Side Request Forgery (SSRF)

EUVDB-ID: #VU73956

Risk: High

CVSSv3.1: 7.8 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N/E:P/RL:O/RC:C]

CVE-ID: CVE-2021-39152

CWE-ID: CWE-918 - Server-Side Request Forgery (SSRF)

Exploit availability: Yes

Description

The disclosed vulnerability allows a remote attacker to perform SSRF attacks.

The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can send a specially crafted HTTP request and trick the application to initiate requests to arbitrary systems.

Successful exploitation of this vulnerability may allow a remote attacker gain access to sensitive data, located in the local network or send malicious requests to other servers from the vulnerable system.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

openEuler: 20.03 LTS SP1 - 20.03 LTS SP2

xstream-parent: before 1.4.18-1

xstream-javadoc: before 1.4.18-1

xstream-benchmark: before 1.4.18-1

xstream-hibernate: before 1.4.18-1

xstream: before 1.4.18-1

External links

http://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2021-1337


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

10) Deserialization of Untrusted Data

EUVDB-ID: #VU73950

Risk: High

CVSSv3.1: 7.1 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-39147

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

openEuler: 20.03 LTS SP1 - 20.03 LTS SP2

xstream-parent: before 1.4.18-1

xstream-javadoc: before 1.4.18-1

xstream-benchmark: before 1.4.18-1

xstream-hibernate: before 1.4.18-1

xstream: before 1.4.18-1

External links

http://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2021-1337


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

11) Improper input validation

EUVDB-ID: #VU62511

Risk: Medium

CVSSv3.1: 5.5 [CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-39140

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote authenticated user to a crash the entire system.

The vulnerability exists due to improper input validation within the Policy (XStream) component in Oracle Communications Cloud Native Core Policy. A remote authenticated user can exploit this vulnerability to a crash the entire system.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

openEuler: 20.03 LTS SP1 - 20.03 LTS SP2

xstream-parent: before 1.4.18-1

xstream-javadoc: before 1.4.18-1

xstream-benchmark: before 1.4.18-1

xstream-hibernate: before 1.4.18-1

xstream: before 1.4.18-1

External links

http://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2021-1337


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

12) Improper input validation

EUVDB-ID: #VU59701

Risk: High

CVSSv3.1: 7.4 [CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-39154

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote authenticated user to execute arbitrary code.

The vulnerability exists due to improper input validation within the Centralized Thirdparty Jars (XStream) component in Oracle Business Activity Monitoring. A remote authenticated user can exploit this vulnerability to execute arbitrary code.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

openEuler: 20.03 LTS SP1 - 20.03 LTS SP2

xstream-parent: before 1.4.18-1

xstream-javadoc: before 1.4.18-1

xstream-benchmark: before 1.4.18-1

xstream-hibernate: before 1.4.18-1

xstream: before 1.4.18-1

External links

http://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2021-1337


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

13) Deserialization of Untrusted Data

EUVDB-ID: #VU73953

Risk: High

CVSSv3.1: 7.1 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-39149

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

openEuler: 20.03 LTS SP1 - 20.03 LTS SP2

xstream-parent: before 1.4.18-1

xstream-javadoc: before 1.4.18-1

xstream-benchmark: before 1.4.18-1

xstream-hibernate: before 1.4.18-1

xstream: before 1.4.18-1

External links

http://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2021-1337


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

14) Deserialization of Untrusted Data

EUVDB-ID: #VU73954

Risk: High

CVSSv3.1: 7.1 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-39151

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

openEuler: 20.03 LTS SP1 - 20.03 LTS SP2

xstream-parent: before 1.4.18-1

xstream-javadoc: before 1.4.18-1

xstream-benchmark: before 1.4.18-1

xstream-hibernate: before 1.4.18-1

xstream: before 1.4.18-1

External links

http://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2021-1337


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###