Synopsis
The remote Amazon Linux 2 host is missing a security update.
Description
The version of xstream installed on the remote host is prior to 1.3.1-13. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2021-1645 advisory.
- XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16. (CVE-2021-21344, CVE-2021-21346, CVE-2021-21347)
- XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker who has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16. (CVE-2021-21345)
- XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to execute arbitrary code only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.
(CVE-2021-21350)
Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.
Solution
Run 'yum update xstream' to update your system.
Plugin Details
File Name: al2_ALAS-2021-1645.nasl
Agent: unix
Supported Sensors: Agentless Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Nessus Agent
Risk Information
Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P
Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C
Vulnerability Information
CPE: p-cpe:/a:amazon:linux:xstream, p-cpe:/a:amazon:linux:xstream-javadoc, cpe:/o:amazon:linux:2
Required KB Items: Host/local_checks_enabled, Host/AmazonLinux/rpm-list, Host/AmazonLinux/release
Exploit Ease: No known exploits are available
Patch Publication Date: 5/20/2021
Vulnerability Publication Date: 3/23/2021