[Geoserver-devel] [JIRA] (GEOS-10280) Geoserver Xstream version (current 1.4.11.1) has known vulnerabilities

Mon, 18 Oct 2021 07:53:54 -0700 

Maurice Grefe ( 
https://osgeo-org.atlassian.net/secure/ViewProfile.jspa?accountId=5eb5466086d01b0b7d28c932
 ) *created* an issue

GeoServer ( 
https://osgeo-org.atlassian.net/browse/GEOS?atlOrigin=eyJpIjoiMmEzMWI3Y2JhMzgyNDkwM2I0YmIwZDIyMmNhYmNlNzEiLCJwIjoiaiJ9
 ) / Bug ( 
https://osgeo-org.atlassian.net/browse/GEOS-10280?atlOrigin=eyJpIjoiMmEzMWI3Y2JhMzgyNDkwM2I0YmIwZDIyMmNhYmNlNzEiLCJwIjoiaiJ9
 ) GEOS-10280 ( 
https://osgeo-org.atlassian.net/browse/GEOS-10280?atlOrigin=eyJpIjoiMmEzMWI3Y2JhMzgyNDkwM2I0YmIwZDIyMmNhYmNlNzEiLCJwIjoiaiJ9
 ) Geoserver Xstream version (current 1.4.11.1) has known vulnerabilities ( 
https://osgeo-org.atlassian.net/browse/GEOS-10280?atlOrigin=eyJpIjoiMmEzMWI3Y2JhMzgyNDkwM2I0YmIwZDIyMmNhYmNlNzEiLCJwIjoiaiJ9
 )

Issue Type: Bug Assignee: Unassigned Created: 18/Oct/21 4:53 PM Priority: 
Medium Reporter: Maurice Grefe ( 
https://osgeo-org.atlassian.net/secure/ViewProfile.jspa?accountId=5eb5466086d01b0b7d28c932
 )

Hello all,

I don't know if the following vulnerabilities are relevant (a similar ticket 
was already addressed in August 2019 ( GEOS-9307 ( 
https://osgeo-org.atlassian.net/browse/GEOS-9307 ) ) ), however the 
vulnerabilities are rated Critical and are already fixed by a newer version.

Critical:

* CVE-2021-21351, CVE-2021-21345, CVE-2021-21350, CVE-2021-21344, 
CVE-2021-21347, CVE-2021-21342,
CVE-2021-21346 - vulnerability may allow a remote attacker to load and execute 
arbitrary code from a remote host only by manipulating the processed input 
stream
High:
* CVE-2021-39151, CVE-2021-39153, CVE-2021-39154, CVE-2020-26217, 
CVE-2020-26258, CVE-2021-39141: vulnerability may allow a remote attacker has 
sufficient rights to execute commands of the host only by manipulating the 
processed input stream.
* CVE-2021-21341: vulnerability which may allow a remote attacker to allocate 
100% CPU time on the target system depending on CPU type or parallel execution 
of such a payload resulting in a denial of service only by manipulating the 
processed input stream.
* CVE-2021-21343: vulnerability where the processed stream at unmarshalling 
time contains type information to recreate the formerly written objects. 
XStream creates therefore new instances based on these type information. An 
attacker can manipulate the processed input stream and replace or inject 
objects, that result in the deletion of a file on the local host.

Version 1.4.18 Link ( https://x-stream.github.io/changes.html#1.4.18 ) will fix 
all these vulnerabilities.

( 
https://osgeo-org.atlassian.net/browse/GEOS-10280#add-comment?atlOrigin=eyJpIjoiMmEzMWI3Y2JhMzgyNDkwM2I0YmIwZDIyMmNhYmNlNzEiLCJwIjoiaiJ9
 ) Add Comment ( 
https://osgeo-org.atlassian.net/browse/GEOS-10280#add-comment?atlOrigin=eyJpIjoiMmEzMWI3Y2JhMzgyNDkwM2I0YmIwZDIyMmNhYmNlNzEiLCJwIjoiaiJ9
 )

Get Jira notifications on your phone! Download the Jira Cloud app for Android ( 
https://play.google.com/store/apps/details?id=com.atlassian.android.jira.core&referrer=utm_source%3DNotificationLink%26utm_medium%3DEmail
 ) or iOS ( 
https://itunes.apple.com/app/apple-store/id1006972087?pt=696495&ct=EmailNotificationLink&mt=8
 ) This message was sent by Atlassian Jira (v1001.0.0-SNAPSHOT#100183- 
sha1:f5b067a )
_______________________________________________
Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel














    











					Reply via email to