PublicDateAtUSN: 2021-03-23 00:15:00 UTC
Candidate: CVE-2021-21351
PublicDate: 2021-03-23 00:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21351
 https://github.com/x-stream/xstream/security/advisories/GHSA-hrcp-8f3q-4w2c
 http://x-stream.github.io/changes.html#1.4.16
 https://x-stream.github.io/CVE-2021-21351.html
 https://x-stream.github.io/security.html#workaround
 https://ubuntu.com/security/notices/USN-4943-1
Description:
 XStream is a Java library to serialize objects to XML and back again. In
 XStream before version 1.4.16, there is a vulnerability may allow a remote
 attacker to load and execute arbitrary code from a remote host only by
 manipulating the processed input stream. No user is affected, who followed
 the recommendation to setup XStream's security framework with a whitelist
 limited to the minimal required types. If you rely on XStream's default
 blacklist of the Security Framework, you will have to use at least version
 1.4.16.
Ubuntu-Description:
Notes:
Mitigation:
Bugs:
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985843
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H [9.1 CRITICAL]


Patches_libxstream-java:
upstream_libxstream-java: released (1.4.16)
precise/esm_libxstream-java: DNE
trusty_libxstream-java: ignored (out of standard support)
trusty/esm_libxstream-java: needs-triage
xenial_libxstream-java: ignored (end of standard support, was needs-triage)
bionic_libxstream-java: released (1.4.11.1-1~18.04.2)
focal_libxstream-java: released (1.4.11.1-1ubuntu0.2)
groovy_libxstream-java: released (1.4.11.1-2ubuntu0.1)
hirsute_libxstream-java: released (1.4.15-1ubuntu0.1)
impish_libxstream-java: released (1.4.15-2)
jammy_libxstream-java: released (1.4.15-2)
devel_libxstream-java: released (1.4.15-2)