Public Date:
1051277: CVE-2013-7285 XStream: remote code execution due to insecure XML deserialization
It was found that XStream could deserialize arbitrary user-supplied XML content, representing objects of any type. A remote attacker able to pass XML to XStream could use this flaw to perform a variety of attacks, including remote code execution in the context of the server running the XStream application.

Find out more about CVE-2013-7285 from the MITRE CVE dictionary dictionary and NIST NVD.

CVSS v2 metrics

Base Score 6.8
Base Metrics AV:N/AC:M/Au:N/C:P/I:P/A:P
Access Vector Network
Access Complexity Medium
Authentication None
Confidentiality Impact Partial
Integrity Impact Partial
Availability Impact Partial

Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).

Red Hat Security Errata

Platform Errata Release Date
Fuse MQ Enterprise 7.1.0 RHSA-2014:0452 2014-04-30
RHEV Manager 3 (jasperreports-server-pro) RHSA-2014:0389 2014-04-09
Red Hat JBoss BPMS 6.0 RHSA-2014:0371 2014-04-03
JBoss Enterprise BRMS Platform 5.3 RHSA-2014:1007 2014-08-05
Fuse ESB Enterprise 7.1.0 RHSA-2014:0452 2014-04-30
Red Hat JBoss A-MQ 6.0 RHSA-2014:0323 2014-03-24
Red Hat JBoss Data Grid 6.2 RHSA-2014:0374 2014-04-03
Red Hat JBoss SOA Platform 5.3 RHSA-2015:1888 2015-10-12
Red Hat JBoss Portal 5.2 RHSA-2014:1059 2014-08-14
Fuse Management Console 7.1.0 RHSA-2014:0452 2014-04-30
Red Hat JBoss Portal 6.2 RHSA-2015:1009 2015-05-14
Red Hat JBoss Fuse 6.0 RHSA-2014:0323 2014-03-24
Red Hat JBoss Data Virtualization 6.0 RHSA-2014:0294 2014-03-13
Red Hat JBoss Fuse Service Works 6.0 RHSA-2014:0216 2014-02-26
Red Hat JBoss BRMS 6.0 RHSA-2014:0372 2014-04-03

Affected Packages State

Platform Package State
Red Hat OpenShift Enterprise 2 xstream Affected
Red Hat OpenShift Enterprise 1 xstream Will not fix
Red Hat JBoss Enterprise SOA Platform 4.3 xstream Will not fix
Red Hat Enterprise Linux 7 xstream Not affected

External References

Last Modified