Red Hat Product Errata RHSA-2021:1354 - Security Advisory

Issued:: 2021-04-26
Updated:: 2021-04-26

RHSA-2021:1354 - Security Advisory

Overview
Updated Packages

Synopsis

Important: xstream security update

Type/Severity

Security Advisory: Important

Topic

An update for xstream is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

XStream is a Java XML serialization library to serialize objects to and deserialize object from XML.

Security Fix(es):

XStream: Unsafe deserizaliation of javax.sql.rowset.BaseRowSet (CVE-2021-21344)
XStream: Unsafe deserizaliation of com.sun.corba.se.impl.activation.ServerTableEntry (CVE-2021-21345)
XStream: Unsafe deserizaliation of sun.swing.SwingLazyValue (CVE-2021-21346)
XStream: Unsafe deserizaliation of com.sun.tools.javac.processing.JavacProcessingEnvironment NameProcessIterator (CVE-2021-21347)
XStream: Unsafe deserizaliation of com.sun.org.apache.bcel.internal.util.ClassLoader (CVE-2021-21350)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

Red Hat Enterprise Linux Server 7 x86_64
Red Hat Enterprise Linux Workstation 7 x86_64
Red Hat Enterprise Linux Desktop 7 x86_64
Red Hat Enterprise Linux for IBM z Systems 7 s390x
Red Hat Enterprise Linux for Power, big endian 7 ppc64
Red Hat Enterprise Linux for Scientific Computing 7 x86_64
Red Hat Enterprise Linux for Power, little endian 7 ppc64le

Fixes

BZ - 1942554 - CVE-2021-21344 XStream: Unsafe deserizaliation of javax.sql.rowset.BaseRowSet
BZ - 1942558 - CVE-2021-21345 XStream: Unsafe deserizaliation of com.sun.corba.se.impl.activation.ServerTableEntry
BZ - 1942578 - CVE-2021-21346 XStream: Unsafe deserizaliation of sun.swing.SwingLazyValue
BZ - 1942629 - CVE-2021-21347 XStream: Unsafe deserizaliation of com.sun.tools.javac.processing.JavacProcessingEnvironment NameProcessIterator
BZ - 1942637 - CVE-2021-21350 XStream: Unsafe deserizaliation of com.sun.org.apache.bcel.internal.util.ClassLoader

CVEs

References

https://access.redhat.com/security/updates/classification/#important

Note: More recent versions of these packages may be available. Click a package name for more details.

Red Hat Enterprise Linux Server 7

SRPM
xstream-1.3.1-13.el7_9.src.rpm	SHA-256: 8bbba051178f7c7034683260f7910d1f7b408afae1983d10e0ba6f202b369255
x86_64
xstream-1.3.1-13.el7_9.noarch.rpm	SHA-256: 6fd18baf21cbc767e4524e286a861097d3fced3322527b10aef8413ff671f7f9
xstream-javadoc-1.3.1-13.el7_9.noarch.rpm	SHA-256: e0b2c7fa1934fce62adbf6141a796ccd9f8ba39641593f674ddb71171cc5ab14

Red Hat Enterprise Linux Workstation 7

SRPM
xstream-1.3.1-13.el7_9.src.rpm	SHA-256: 8bbba051178f7c7034683260f7910d1f7b408afae1983d10e0ba6f202b369255
x86_64
xstream-1.3.1-13.el7_9.noarch.rpm	SHA-256: 6fd18baf21cbc767e4524e286a861097d3fced3322527b10aef8413ff671f7f9
xstream-javadoc-1.3.1-13.el7_9.noarch.rpm	SHA-256: e0b2c7fa1934fce62adbf6141a796ccd9f8ba39641593f674ddb71171cc5ab14

Red Hat Enterprise Linux Desktop 7

SRPM
xstream-1.3.1-13.el7_9.src.rpm	SHA-256: 8bbba051178f7c7034683260f7910d1f7b408afae1983d10e0ba6f202b369255
x86_64
xstream-1.3.1-13.el7_9.noarch.rpm	SHA-256: 6fd18baf21cbc767e4524e286a861097d3fced3322527b10aef8413ff671f7f9
xstream-javadoc-1.3.1-13.el7_9.noarch.rpm	SHA-256: e0b2c7fa1934fce62adbf6141a796ccd9f8ba39641593f674ddb71171cc5ab14

Red Hat Enterprise Linux for IBM z Systems 7

SRPM
xstream-1.3.1-13.el7_9.src.rpm	SHA-256: 8bbba051178f7c7034683260f7910d1f7b408afae1983d10e0ba6f202b369255
s390x
xstream-1.3.1-13.el7_9.noarch.rpm	SHA-256: 6fd18baf21cbc767e4524e286a861097d3fced3322527b10aef8413ff671f7f9
xstream-javadoc-1.3.1-13.el7_9.noarch.rpm	SHA-256: e0b2c7fa1934fce62adbf6141a796ccd9f8ba39641593f674ddb71171cc5ab14

Red Hat Enterprise Linux for Power, big endian 7

SRPM
xstream-1.3.1-13.el7_9.src.rpm	SHA-256: 8bbba051178f7c7034683260f7910d1f7b408afae1983d10e0ba6f202b369255
ppc64
xstream-1.3.1-13.el7_9.noarch.rpm	SHA-256: 6fd18baf21cbc767e4524e286a861097d3fced3322527b10aef8413ff671f7f9
xstream-javadoc-1.3.1-13.el7_9.noarch.rpm	SHA-256: e0b2c7fa1934fce62adbf6141a796ccd9f8ba39641593f674ddb71171cc5ab14

Red Hat Enterprise Linux for Scientific Computing 7

SRPM
xstream-1.3.1-13.el7_9.src.rpm	SHA-256: 8bbba051178f7c7034683260f7910d1f7b408afae1983d10e0ba6f202b369255
x86_64
xstream-1.3.1-13.el7_9.noarch.rpm	SHA-256: 6fd18baf21cbc767e4524e286a861097d3fced3322527b10aef8413ff671f7f9
xstream-javadoc-1.3.1-13.el7_9.noarch.rpm	SHA-256: e0b2c7fa1934fce62adbf6141a796ccd9f8ba39641593f674ddb71171cc5ab14

Red Hat Enterprise Linux for Power, little endian 7

SRPM
xstream-1.3.1-13.el7_9.src.rpm	SHA-256: 8bbba051178f7c7034683260f7910d1f7b408afae1983d10e0ba6f202b369255
ppc64le
xstream-1.3.1-13.el7_9.noarch.rpm	SHA-256: 6fd18baf21cbc767e4524e286a861097d3fced3322527b10aef8413ff671f7f9
xstream-javadoc-1.3.1-13.el7_9.noarch.rpm	SHA-256: e0b2c7fa1934fce62adbf6141a796ccd9f8ba39641593f674ddb71171cc5ab14

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Log in to Your Red Hat Account

Red Hat Account

Customer Portal

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

Runtimes

Integration and Automation

Services

Tools

Red Hat Insights

Red Hat Product Security Center

Security Updates

Resources

Customer Portal Community

Customer Events

Stories