xstream-1.3.1-12.el7

エラータID: AXSA:2021-1252:01

Release date: 
Monday, January 18, 2021 - 20:49
Subject: 
xstream-1.3.1-12.el7
Affected Channels: 
Asianux Server 7 for x86_64
Severity: 
High
Description: 

XStream is a Java XML serialization library to serialize objects to and deserialize object from XML.

Security Fix(es):

* XStream: remote code execution due to insecure XML deserialization when relying on blocklists (CVE-2020-26217)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2020-26217
XStream before version 1.4.14 is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker to run arbitrary shell commands only by manipulating the processed input stream. Only users who rely on blocklists are affected. Anyone using XStream's Security Framework allowlist is not affected. The linked advisory provides code workarounds for users who cannot upgrade. The issue is fixed in version 1.4.14.

Solution: 

Update packages.

CVEs: 
CVE-2020-26217
XStream before version 1.4.14 is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker to run arbitrary shell commands only by manipulating the processed input stream. Only users who rely on blocklists are affected. Anyone using XStream's Security Framework allowlist is not affected. The linked advisory provides code workarounds for users who cannot upgrade. The issue is fixed in version 1.4.14.
Additional Info: 

N/A

Download: 

SRPMS
  1. xstream-1.3.1-12.el7.src.rpm
    MD5: 914088bf5eb10d7e232ff61e82875b23
    SHA-256: a428e30e169c2134523d6748421858d70a2e9a0603d49baafaf734ba2ec128a5
    Size: 7.04 MB

Asianux Server 7 for x86_64
  1. xstream-1.3.1-12.el7.noarch.rpm
    MD5: 07842217579325b090076120fd541395
    SHA-256: e21865cfdd7002240b3f0bacbef1f9f7bf37cd74251cc2249c8a75042c5a615e
    Size: 374.11 kB