Security update for xstream SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2021:1401-1 Final 1 1 2021-10-31T14:52:41Z current 2021-10-31T14:52:41Z 2021-10-31T14:52:41Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for xstream This update for xstream fixes the following issues: - Upgrade to 1.4.18 - CVE-2021-39139: Fixed an issue that allowed an attacker to execute arbitrary code execution by manipulating the processed input stream with type information. (bsc#1189798) - CVE-2021-39140: Fixed an issue that allowed an attacker to execute a DoS attack by manipulating the processed input stream. (bsc#1189798) - CVE-2021-39141: Fixed an issue that allowed an attacker to achieve arbitrary code execution. (bsc#1189798) - CVE-2021-39144: Fixed an issue that allowed an attacker to achieve arbitrary code execution. (bsc#1189798) - CVE-2021-39145: Fixed an issue that allowed an attacker to achieve arbitrary code execution. (bsc#1189798) - CVE-2021-39146: Fixed an issue that allowed an attacker to achieve arbitrary code execution. (bsc#1189798) - CVE-2021-39147: Fixed an issue that allowed an attacker to achieve arbitrary code execution. (bsc#1189798) - CVE-2021-39148: Fixed an issue that allowed an attacker to achieve arbitrary code execution. (bsc#1189798) - CVE-2021-39149: Fixed an issue that allowed an attacker to achieve arbitrary code execution. (bsc#1189798) - CVE-2021-39150: Fixed an issue that allowed an attacker to access protected resources hosted within the intranet or in the host itself. (bsc#1189798) - CVE-2021-39151: Fixed an issue that allowed an attacker to achieve arbitrary code execution. (bsc#1189798) - CVE-2021-39152: Fixed an issue that allowed an attacker to access protected resources hosted within the intranet or in the host itself. (bsc#1189798) - CVE-2021-39153: Fixed an issue that allowed an attacker to achieve arbitrary code execution. (bsc#1189798) - CVE-2021-39154: Fixed an issue that allowed an attacker to achieve arbitrary code execution. (bsc#1189798) This update was imported from the SUSE:SLE-15-SP2:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2021-1401 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/PVLPNQBYDFG66KQSVPOIZDRX3AQEQYGU/ E-Mail link for openSUSE-SU-2021:1401-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1189798 SUSE Bug 1189798 https://www.suse.com/security/cve/CVE-2021-39139/ SUSE CVE CVE-2021-39139 page https://www.suse.com/security/cve/CVE-2021-39140/ SUSE CVE CVE-2021-39140 page https://www.suse.com/security/cve/CVE-2021-39141/ SUSE CVE CVE-2021-39141 page https://www.suse.com/security/cve/CVE-2021-39144/ SUSE CVE CVE-2021-39144 page https://www.suse.com/security/cve/CVE-2021-39145/ SUSE CVE CVE-2021-39145 page https://www.suse.com/security/cve/CVE-2021-39146/ SUSE CVE CVE-2021-39146 page https://www.suse.com/security/cve/CVE-2021-39147/ SUSE CVE CVE-2021-39147 page https://www.suse.com/security/cve/CVE-2021-39148/ SUSE CVE CVE-2021-39148 page https://www.suse.com/security/cve/CVE-2021-39149/ SUSE CVE CVE-2021-39149 page https://www.suse.com/security/cve/CVE-2021-39150/ SUSE CVE CVE-2021-39150 page https://www.suse.com/security/cve/CVE-2021-39151/ SUSE CVE CVE-2021-39151 page https://www.suse.com/security/cve/CVE-2021-39152/ SUSE CVE CVE-2021-39152 page https://www.suse.com/security/cve/CVE-2021-39153/ SUSE CVE CVE-2021-39153 page https://www.suse.com/security/cve/CVE-2021-39154/ SUSE CVE CVE-2021-39154 page openSUSE Leap 15.2 xstream-1.4.18-lp152.2.12.1 xstream-benchmark-1.4.18-lp152.2.12.1 xstream-javadoc-1.4.18-lp152.2.12.1 xstream-parent-1.4.18-lp152.2.12.1 xstream-1.4.18-lp152.2.12.1 as a component of openSUSE Leap 15.2 xstream-benchmark-1.4.18-lp152.2.12.1 as a component of openSUSE Leap 15.2 xstream-javadoc-1.4.18-lp152.2.12.1 as a component of openSUSE Leap 15.2 xstream-parent-1.4.18-lp152.2.12.1 as a component of openSUSE Leap 15.2 XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. A user is only affected if using the version out of the box with JDK 1.7u21 or below. However, this scenario can be adjusted easily to an external Xalan that works regardless of the version of the Java runtime. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose. CVE-2021-39139 openSUSE Leap 15.2:xstream-1.4.18-lp152.2.12.1 openSUSE Leap 15.2:xstream-benchmark-1.4.18-lp152.2.12.1 openSUSE Leap 15.2:xstream-javadoc-1.4.18-lp152.2.12.1 openSUSE Leap 15.2:xstream-parent-1.4.18-lp152.2.12.1 important 6.5 AV:N/AC:L/Au:S/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/PVLPNQBYDFG66KQSVPOIZDRX3AQEQYGU/ https://www.suse.com/security/cve/CVE-2021-39139.html CVE-2021-39139 https://bugzilla.suse.com/1189798 SUSE Bug 1189798 XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose. CVE-2021-39140 openSUSE Leap 15.2:xstream-1.4.18-lp152.2.12.1 openSUSE Leap 15.2:xstream-benchmark-1.4.18-lp152.2.12.1 openSUSE Leap 15.2:xstream-javadoc-1.4.18-lp152.2.12.1 openSUSE Leap 15.2:xstream-parent-1.4.18-lp152.2.12.1 important 6.3 AV:N/AC:M/Au:S/C:N/I:N/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/PVLPNQBYDFG66KQSVPOIZDRX3AQEQYGU/ https://www.suse.com/security/cve/CVE-2021-39140.html CVE-2021-39140 https://bugzilla.suse.com/1189798 SUSE Bug 1189798 XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose. CVE-2021-39141 openSUSE Leap 15.2:xstream-1.4.18-lp152.2.12.1 openSUSE Leap 15.2:xstream-benchmark-1.4.18-lp152.2.12.1 openSUSE Leap 15.2:xstream-javadoc-1.4.18-lp152.2.12.1 openSUSE Leap 15.2:xstream-parent-1.4.18-lp152.2.12.1 important 6 AV:N/AC:M/Au:S/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/PVLPNQBYDFG66KQSVPOIZDRX3AQEQYGU/ https://www.suse.com/security/cve/CVE-2021-39141.html CVE-2021-39141 https://bugzilla.suse.com/1189798 SUSE Bug 1189798 XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose. CVE-2021-39144 openSUSE Leap 15.2:xstream-1.4.18-lp152.2.12.1 openSUSE Leap 15.2:xstream-benchmark-1.4.18-lp152.2.12.1 openSUSE Leap 15.2:xstream-javadoc-1.4.18-lp152.2.12.1 openSUSE Leap 15.2:xstream-parent-1.4.18-lp152.2.12.1 important 6 AV:N/AC:M/Au:S/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/PVLPNQBYDFG66KQSVPOIZDRX3AQEQYGU/ https://www.suse.com/security/cve/CVE-2021-39144.html CVE-2021-39144 https://bugzilla.suse.com/1189798 SUSE Bug 1189798 XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose. CVE-2021-39145 openSUSE Leap 15.2:xstream-1.4.18-lp152.2.12.1 openSUSE Leap 15.2:xstream-benchmark-1.4.18-lp152.2.12.1 openSUSE Leap 15.2:xstream-javadoc-1.4.18-lp152.2.12.1 openSUSE Leap 15.2:xstream-parent-1.4.18-lp152.2.12.1 important 6 AV:N/AC:M/Au:S/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/PVLPNQBYDFG66KQSVPOIZDRX3AQEQYGU/ https://www.suse.com/security/cve/CVE-2021-39145.html CVE-2021-39145 https://bugzilla.suse.com/1189798 SUSE Bug 1189798 XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose. CVE-2021-39146 openSUSE Leap 15.2:xstream-1.4.18-lp152.2.12.1 openSUSE Leap 15.2:xstream-benchmark-1.4.18-lp152.2.12.1 openSUSE Leap 15.2:xstream-javadoc-1.4.18-lp152.2.12.1 openSUSE Leap 15.2:xstream-parent-1.4.18-lp152.2.12.1 important 6 AV:N/AC:M/Au:S/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/PVLPNQBYDFG66KQSVPOIZDRX3AQEQYGU/ https://www.suse.com/security/cve/CVE-2021-39146.html CVE-2021-39146 https://bugzilla.suse.com/1189798 SUSE Bug 1189798 XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose. CVE-2021-39147 openSUSE Leap 15.2:xstream-1.4.18-lp152.2.12.1 openSUSE Leap 15.2:xstream-benchmark-1.4.18-lp152.2.12.1 openSUSE Leap 15.2:xstream-javadoc-1.4.18-lp152.2.12.1 openSUSE Leap 15.2:xstream-parent-1.4.18-lp152.2.12.1 important 6 AV:N/AC:M/Au:S/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/PVLPNQBYDFG66KQSVPOIZDRX3AQEQYGU/ https://www.suse.com/security/cve/CVE-2021-39147.html CVE-2021-39147 https://bugzilla.suse.com/1189798 SUSE Bug 1189798 XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose. CVE-2021-39148 openSUSE Leap 15.2:xstream-1.4.18-lp152.2.12.1 openSUSE Leap 15.2:xstream-benchmark-1.4.18-lp152.2.12.1 openSUSE Leap 15.2:xstream-javadoc-1.4.18-lp152.2.12.1 openSUSE Leap 15.2:xstream-parent-1.4.18-lp152.2.12.1 important 6 AV:N/AC:M/Au:S/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/PVLPNQBYDFG66KQSVPOIZDRX3AQEQYGU/ https://www.suse.com/security/cve/CVE-2021-39148.html CVE-2021-39148 https://bugzilla.suse.com/1189798 SUSE Bug 1189798 XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose. CVE-2021-39149 openSUSE Leap 15.2:xstream-1.4.18-lp152.2.12.1 openSUSE Leap 15.2:xstream-benchmark-1.4.18-lp152.2.12.1 openSUSE Leap 15.2:xstream-javadoc-1.4.18-lp152.2.12.1 openSUSE Leap 15.2:xstream-parent-1.4.18-lp152.2.12.1 important 6 AV:N/AC:M/Au:S/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/PVLPNQBYDFG66KQSVPOIZDRX3AQEQYGU/ https://www.suse.com/security/cve/CVE-2021-39149.html CVE-2021-39149 https://bugzilla.suse.com/1189798 SUSE Bug 1189798 XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream with a Java runtime version 14 to 8. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the [Security Framework](https://x-stream.github.io/security.html#framework), you will have to use at least version 1.4.18. CVE-2021-39150 openSUSE Leap 15.2:xstream-1.4.18-lp152.2.12.1 openSUSE Leap 15.2:xstream-benchmark-1.4.18-lp152.2.12.1 openSUSE Leap 15.2:xstream-javadoc-1.4.18-lp152.2.12.1 openSUSE Leap 15.2:xstream-parent-1.4.18-lp152.2.12.1 important 6 AV:N/AC:M/Au:S/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/PVLPNQBYDFG66KQSVPOIZDRX3AQEQYGU/ https://www.suse.com/security/cve/CVE-2021-39150.html CVE-2021-39150 https://bugzilla.suse.com/1189798 SUSE Bug 1189798 XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose. CVE-2021-39151 openSUSE Leap 15.2:xstream-1.4.18-lp152.2.12.1 openSUSE Leap 15.2:xstream-benchmark-1.4.18-lp152.2.12.1 openSUSE Leap 15.2:xstream-javadoc-1.4.18-lp152.2.12.1 openSUSE Leap 15.2:xstream-parent-1.4.18-lp152.2.12.1 important 6 AV:N/AC:M/Au:S/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/PVLPNQBYDFG66KQSVPOIZDRX3AQEQYGU/ https://www.suse.com/security/cve/CVE-2021-39151.html CVE-2021-39151 https://bugzilla.suse.com/1189798 SUSE Bug 1189798 XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream with a Java runtime version 14 to 8. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the [Security Framework](https://x-stream.github.io/security.html#framework), you will have to use at least version 1.4.18. CVE-2021-39152 openSUSE Leap 15.2:xstream-1.4.18-lp152.2.12.1 openSUSE Leap 15.2:xstream-benchmark-1.4.18-lp152.2.12.1 openSUSE Leap 15.2:xstream-javadoc-1.4.18-lp152.2.12.1 openSUSE Leap 15.2:xstream-parent-1.4.18-lp152.2.12.1 important 6 AV:N/AC:M/Au:S/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/PVLPNQBYDFG66KQSVPOIZDRX3AQEQYGU/ https://www.suse.com/security/cve/CVE-2021-39152.html CVE-2021-39152 https://bugzilla.suse.com/1189798 SUSE Bug 1189798 XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream, if using the version out of the box with Java runtime version 14 to 8 or with JavaFX installed. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose. CVE-2021-39153 openSUSE Leap 15.2:xstream-1.4.18-lp152.2.12.1 openSUSE Leap 15.2:xstream-benchmark-1.4.18-lp152.2.12.1 openSUSE Leap 15.2:xstream-javadoc-1.4.18-lp152.2.12.1 openSUSE Leap 15.2:xstream-parent-1.4.18-lp152.2.12.1 important 6 AV:N/AC:M/Au:S/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/PVLPNQBYDFG66KQSVPOIZDRX3AQEQYGU/ https://www.suse.com/security/cve/CVE-2021-39153.html CVE-2021-39153 https://bugzilla.suse.com/1189798 SUSE Bug 1189798 XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose. CVE-2021-39154 openSUSE Leap 15.2:xstream-1.4.18-lp152.2.12.1 openSUSE Leap 15.2:xstream-benchmark-1.4.18-lp152.2.12.1 openSUSE Leap 15.2:xstream-javadoc-1.4.18-lp152.2.12.1 openSUSE Leap 15.2:xstream-parent-1.4.18-lp152.2.12.1 important 6 AV:N/AC:M/Au:S/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/PVLPNQBYDFG66KQSVPOIZDRX3AQEQYGU/ https://www.suse.com/security/cve/CVE-2021-39154.html CVE-2021-39154 https://bugzilla.suse.com/1189798 SUSE Bug 1189798