The remote SUSE Linux SLED15 / SLES15 host has a package installed that is affected by multiple vulnerabilities as referenced in the SUSE-SU-2021:3476-1 advisory.

  - XStream is a simple library to serialize objects to XML and back again. In affected versions this     vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by     manipulating the processed input stream. A user is only affected if using the version out of the box with     JDK 1.7u21 or below. However, this scenario can be adjusted easily to an external Xalan that works     regardless of the version of the Java runtime. No user is affected, who followed the recommendation to     setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18     uses no longer a blacklist by default, since it cannot be secured for general purpose. (CVE-2021-39139)

  - XStream is a simple library to serialize objects to XML and back again. In affected versions this     vulnerability may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU     type or parallel execution of such a payload resulting in a denial of service only by manipulating the     processed input stream. No user is affected, who followed the recommendation to setup XStream's security     framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a     blacklist by default, since it cannot be secured for general purpose. (CVE-2021-39140)

  - XStream is a simple library to serialize objects to XML and back again. In affected versions this     vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by     manipulating the processed input stream. No user is affected, who followed the recommendation to setup     XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses     no longer a blacklist by default, since it cannot be secured for general purpose. (CVE-2021-39141,     CVE-2021-39145, CVE-2021-39146, CVE-2021-39147, CVE-2021-39148, CVE-2021-39149, CVE-2021-39151,     CVE-2021-39154)

  - XStream is a simple library to serialize objects to XML and back again. In affected versions this     vulnerability may allow a remote attacker has sufficient rights to execute commands of the host only by     manipulating the processed input stream. No user is affected, who followed the recommendation to setup     XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses     no longer a blacklist by default, since it cannot be secured for general purpose. (CVE-2021-39144)

  - XStream is a simple library to serialize objects to XML and back again. In affected versions this     vulnerability may allow a remote attacker to request data from internal resources that are not publicly     available only by manipulating the processed input stream with a Java runtime version 14 to 8. No user is     affected, who followed the recommendation to setup XStream's security framework with a whitelist limited     to the minimal required types. If you rely on XStream's default blacklist of the [Security     Framework](https://x-stream.github.io/security.html#framework), you will have to use at least version     1.4.18. (CVE-2021-39150, CVE-2021-39152)

  - XStream is a simple library to serialize objects to XML and back again. In affected versions this     vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by     manipulating the processed input stream, if using the version out of the box with Java runtime version 14     to 8 or with JavaFX installed. No user is affected, who followed the recommendation to setup XStream's     security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a     blacklist by default, since it cannot be secured for general purpose. (CVE-2021-39153)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Detections

Analytics

SUSE SLED15 / SLES15 Security Update : xstream (SUSE-SU-2021:3476-1)

high Nessus Plugin ID 154298

Version 1.8

Version 1.7

Version 1.6

Version 1.5

Version 1.4

Version 1.3

Version 1.8 Nov 28, 2023, 2:15 PM Exploit attributes ("Exploit framework metasploit" set to "True") Plugin Feed: 202311281415
Version 1.7 Jul 12, 2023, 5:37 PM Detection Plugin Feed: 202307121737
Version 1.6 Mar 10, 2023, 11:54 PM CISA reference CVSS temporal metrics ("CVSSv2 temporal vector" set to "CVSS2#E:H/RL:OF/RC:C". "CVSSv2 temporal vector" set to "CVSS2#E:H/RL:OF/RC:C". "CVSSv2 temporal vector" set to "CVSS2#E:H/RL:OF/RC:C". "CVSSv3 temporal vector" set to "CVSS:3.0/E:H/RL:O/RC:C". "CVSSv3 temporal vector" set to "CVSS:3.0/E:H/RL:O/RC:C") Plugin Feed: 202303102354
Version 1.5 Jan 23, 2023, 4:10 PM Exploit attributes ("Exploit framework core" set to "True") Plugin Feed: 202301231610
Version 1.4 Dec 6, 2022, 4:40 AM Reference Plugin Feed: 202212060440
Version 1.3 Nov 16, 2022, 9:51 PM Exploit attributes CVSS temporal metrics Plugin Feed: 202211162151