openSUSE 15 Security Update : xstream (openSUSE-SU-2021:1840-1)

critical Nessus Plugin ID 151746

Language:

Synopsis

The remote SUSE host is missing one or more security updates.

Description

The remote SUSE Linux SUSE15 host has packages installed that are affected by multiple vulnerabilities as referenced in the openSUSE-SU-2021:1840-1 advisory.

- XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is vulnerability which may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream. No user is affected who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.
(CVE-2021-21341)

- XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability where the processed stream at unmarshalling time contains type information to recreate the formerly written objects. XStream creates therefore new instances based on these type information. An attacker can manipulate the processed input stream and replace or inject objects, that result in a server-side forgery request. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.
(CVE-2021-21342)

- XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability where the processed stream at unmarshalling time contains type information to recreate the formerly written objects. XStream creates therefore new instances based on these type information. An attacker can manipulate the processed input stream and replace or inject objects, that result in the deletion of a file on the local host. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.
(CVE-2021-21343)

- XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16. (CVE-2021-21344, CVE-2021-21346, CVE-2021-21347)

- XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker who has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16. (CVE-2021-21345)

- XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to occupy a thread that consumes maximum CPU time and will never return. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.
(CVE-2021-21348)

- XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16. (CVE-2021-21349)

- XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to execute arbitrary code only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.
(CVE-2021-21350)

- XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.
(CVE-2021-21351)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Update the affected xstream, xstream-benchmark, xstream-javadoc and / or xstream-parent packages.

See Also

https://bugzilla.suse.com/1184372

https://bugzilla.suse.com/1184373

https://bugzilla.suse.com/1184374

https://bugzilla.suse.com/1184375

https://bugzilla.suse.com/1184376

https://bugzilla.suse.com/1184377

https://bugzilla.suse.com/1184378

https://bugzilla.suse.com/1184379

https://bugzilla.suse.com/1184380

https://bugzilla.suse.com/1184796

https://bugzilla.suse.com/1184797

http://www.nessus.org/u?aed25093

https://www.suse.com/security/cve/CVE-2021-21341

https://www.suse.com/security/cve/CVE-2021-21342

https://www.suse.com/security/cve/CVE-2021-21343

https://www.suse.com/security/cve/CVE-2021-21344

https://www.suse.com/security/cve/CVE-2021-21345

https://www.suse.com/security/cve/CVE-2021-21346

https://www.suse.com/security/cve/CVE-2021-21347

https://www.suse.com/security/cve/CVE-2021-21348

https://www.suse.com/security/cve/CVE-2021-21349

https://www.suse.com/security/cve/CVE-2021-21350

https://www.suse.com/security/cve/CVE-2021-21351

Plugin Details

Severity: Critical

ID: 151746

File Name: openSUSE-2021-1840.nasl

Version: 1.3

Type: local

Agent: unix

Published: 7/16/2021

Updated: 5/9/2022

Supported Sensors: Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent

Risk Information

VPR

Risk Factor: High

Score: 8.1

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.5

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Temporal Vector: E:U/RL:OF/RC:C

CVSS Score Source: CVE-2021-21350

CVSS v3

Risk Factor: Critical

Base Score: 9.9

Temporal Score: 8.6

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Temporal Vector: E:U/RL:O/RC:C

CVSS Score Source: CVE-2021-21345

Vulnerability Information

CPE: p-cpe:/a:novell:opensuse:xstream, p-cpe:/a:novell:opensuse:xstream-benchmark, p-cpe:/a:novell:opensuse:xstream-javadoc, p-cpe:/a:novell:opensuse:xstream-parent, cpe:/o:novell:opensuse:15.3

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 7/11/2021

Vulnerability Publication Date: 3/23/2021

Reference Information

CVE: CVE-2021-21341, CVE-2021-21342, CVE-2021-21343, CVE-2021-21344, CVE-2021-21345, CVE-2021-21346, CVE-2021-21347, CVE-2021-21348, CVE-2021-21349, CVE-2021-21350, CVE-2021-21351