CVE-2021-39152 in Ubuntu

CVE-2021-39152

Priority

Description

XStream is a simple library to serialize objects to XML and back again. In
affected versions this vulnerability may allow a remote attacker to request
data from internal resources that are not publicly available only by
manipulating the processed input stream with a Java runtime version 14 to
8. No user is affected, who followed the recommendation to setup XStream's
security framework with a whitelist limited to the minimal required types.
If you rely on XStream's default blacklist of the [Security
Framework](https://x-stream.github.io/security.html#framework), you will
have to use at least version 1.4.18.

References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39152
https://github.com/x-stream/xstream/security/advisories/GHSA-xw4p-crpj-vjx2
https://x-stream.github.io/CVE-2021-39152.html

Notes

Package

Source: libxstream-java (LP Ubuntu Debian)

Upstream:	needs-triage
Ubuntu 18.04 LTS:	needed
Ubuntu 20.04 LTS:	needed
Ubuntu 21.10:	needed
Ubuntu 22.04 LTS:	not-affected (1.4.18-1)
Ubuntu 14.04 ESM:	needed

Patches:

More Information

Updated: 2022-04-25 00:57:51 UTC (commit ecc1009cb19540b950de59270950018900f37f15)