openSUSE Security Update : xstream (openSUSE-2021-832)

critical Nessus Plugin ID 150248

Language:

Synopsis

The remote openSUSE host is missing a security update.

Description

This update for xstream fixes the following issues :

- Upgrade to 1.4.16

- CVE-2021-21351: remote attacker to load and execute arbitrary code (bsc#1184796)

- CVE-2021-21349: SSRF can lead to a remote attacker to request data from internal resources (bsc#1184797)

- CVE-2021-21350: arbitrary code execution (bsc#1184380)

- CVE-2021-21348: remote attacker could cause denial of service by consuming maximum CPU time (bsc#1184374)

- CVE-2021-21347: remote attacker to load and execute arbitrary code from a remote host (bsc#1184378)

- CVE-2021-21344: remote attacker could load and execute arbitrary code from a remote host (bsc#1184375)

- CVE-2021-21342: server-side forgery (bsc#1184379)

- CVE-2021-21341: remote attacker could cause a denial of service by allocating 100% CPU time (bsc#1184377)

- CVE-2021-21346: remote attacker could load and execute arbitrary code (bsc#1184373)

- CVE-2021-21345: remote attacker with sufficient rights could execute commands (bsc#1184372)

- CVE-2021-21343: replace or inject objects, that result in the deletion of files on the local host (bsc#1184376)

This update was imported from the SUSE:SLE-15-SP2:Update update project.

Solution

Update the affected xstream packages.

See Also

https://bugzilla.opensuse.org/show_bug.cgi?id=1184372

https://bugzilla.opensuse.org/show_bug.cgi?id=1184373

https://bugzilla.opensuse.org/show_bug.cgi?id=1184374

https://bugzilla.opensuse.org/show_bug.cgi?id=1184375

https://bugzilla.opensuse.org/show_bug.cgi?id=1184376

https://bugzilla.opensuse.org/show_bug.cgi?id=1184377

https://bugzilla.opensuse.org/show_bug.cgi?id=1184378

https://bugzilla.opensuse.org/show_bug.cgi?id=1184379

https://bugzilla.opensuse.org/show_bug.cgi?id=1184380

https://bugzilla.opensuse.org/show_bug.cgi?id=1184796

https://bugzilla.opensuse.org/show_bug.cgi?id=1184797

Plugin Details

Severity: Critical

ID: 150248

File Name: openSUSE-2021-832.nasl

Version: 1.3

Type: local

Agent: unix

Published: 6/4/2021

Updated: 5/9/2022

Supported Sensors: Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent

Risk Information

VPR

Risk Factor: High

Score: 8.1

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.5

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Temporal Vector: E:U/RL:OF/RC:C

CVSS Score Source: CVE-2021-21350

CVSS v3

Risk Factor: Critical

Base Score: 9.9

Temporal Score: 8.6

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Temporal Vector: E:U/RL:O/RC:C

CVSS Score Source: CVE-2021-21345

Vulnerability Information

CPE: p-cpe:/a:novell:opensuse:xstream, p-cpe:/a:novell:opensuse:xstream-benchmark, p-cpe:/a:novell:opensuse:xstream-javadoc, p-cpe:/a:novell:opensuse:xstream-parent, cpe:/o:novell:opensuse:15.2

Required KB Items: Host/local_checks_enabled, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 6/3/2021

Vulnerability Publication Date: 3/23/2021

Reference Information

CVE: CVE-2021-21341, CVE-2021-21342, CVE-2021-21343, CVE-2021-21344, CVE-2021-21345, CVE-2021-21346, CVE-2021-21347, CVE-2021-21348, CVE-2021-21349, CVE-2021-21350, CVE-2021-21351