Bug 1186651 - (CVE-2021-29505) VUL-0: CVE-2021-29505: xstream: potential code execution
(CVE-2021-29505)
VUL-0: CVE-2021-29505: xstream: potential code execution
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Minor
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/300979/
CVSSv3.1:SUSE:CVE-2021-29505:8.1:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2021-05-31 07:30 UTC by Robert Frohl
Modified: 2022-04-07 12:00 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Frohl 2021-05-31 07:30:44 UTC
CVE-2021-29505

### Impact
The vulnerability may allow a remote attacker has sufficient rights to execute
commands of the host only by manipulating the processed input stream. No user is
affected, who followed the recommendation to setup XStream's security framework
with a whitelist limited to the minimal required types.

### Patches
If you rely on XStream's default blacklist of the Security Framework, you will
have to use at least version 1.4.17.

### Workarounds
See [workarounds](https://x-stream.github.io/security.html#workaround) for the
different versions covering all CVEs.

### References
See full information about the nature of the vulnerability and the steps to
reproduce it in XStream's documentation for
[CVE-2021-xxxxx](https://x-stream.github.io/CVE-2021-xxxxx.html).

### Credits

V3geB1rd, white hat hacker from Tencent Security Response Center found and
reported the issue to XStream and provided the required information to reproduce
it.

### For more information
If you have any questions or comments about this advisory:
* Open an issue in [XStream](https://github.com/x-stream/xstream/issues)
* Email us at [XStream Google
Group](https://groups.google.com/group/xstream-user)

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-29505
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29505
https://github.com/x-stream/xstream/security/advisories/GHSA-7chv-rrw6-w6fc
Comment 1 Robert Frohl 2021-05-31 07:31:40 UTC
tracking as affected:

- SUSE:SLE-15-SP1:Update:Products:Manager40:Update/xstream
- SUSE:SLE-15-SP2:Update/xstream
Comment 2 Silvio Moioli 2021-05-31 08:44:03 UTC
(In reply to Robert Frohl from comment #1)
> tracking as affected:
> 
> - SUSE:SLE-15-SP1:Update:Products:Manager40:Update/xstream

Robert,

I wonder what you think about how important it is to really fix this particular case.

Some data points:
 - that stream refers to SUSE Manager 4.0, which will go end of life in one month (June 30)
 - the main SUSE Manager code base (https://github.com/SUSE/spacewalk) does not use xstream at all...
 - ...but it does use an isolated command line tool (https://github.com/openSUSE/subscription-matcher/) which in turn requires the Drools library
 - Drools depends on xstream, but we do not feed it with any XML data at all. This is unusual as Drools is typically configured via XML files, but we use hard coded Java statements instead
 - Crucially, we do not feed Drools with any user-controllable XML data as far as my knowledge is concerned

CC'ing Franky who might correct me in case I'm mistaken.

Given these circumstances, are we fine by not patching this for 4.0?
Comment 4 Frantisek Kobzik 2021-06-01 06:47:47 UTC
Only confirming, what Silvio wrote.
Comment 5 Robert Frohl 2021-06-01 12:21:35 UTC
(In reply to Silvio Moioli from comment #2)
> (In reply to Robert Frohl from comment #1)
> > tracking as affected:
> > 
> > - SUSE:SLE-15-SP1:Update:Products:Manager40:Update/xstream
> 
> Robert,
> 
> I wonder what you think about how important it is to really fix this
> particular case.
> 
> Some data points:
>  - that stream refers to SUSE Manager 4.0, which will go end of life in one
> month (June 30)
>  - the main SUSE Manager code base (https://github.com/SUSE/spacewalk) does
> not use xstream at all...
>  - ...but it does use an isolated command line tool
> (https://github.com/openSUSE/subscription-matcher/) which in turn requires
> the Drools library
>  - Drools depends on xstream, but we do not feed it with any XML data at
> all. This is unusual as Drools is typically configured via XML files, but we
> use hard coded Java statements instead
>  - Crucially, we do not feed Drools with any user-controllable XML data as
> far as my knowledge is concerned
> 
> CC'ing Franky who might correct me in case I'm mistaken.
> 
> Given these circumstances, are we fine by not patching this for 4.0?

I think in a case like this it would is okay to not ship the fix. I will adjust our tracking.
Comment 7 Swamp Workflow Management 2021-06-17 16:21:10 UTC
SUSE-SU-2021:1995-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1186651
CVE References: CVE-2021-29505
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for SUSE Manager Server 4.2 (src):    xstream-1.4.17-3.11.2
SUSE Linux Enterprise Module for SUSE Manager Server 4.1 (src):    xstream-1.4.17-3.11.2
SUSE Linux Enterprise Module for Development Tools 15-SP3 (src):    xstream-1.4.17-3.11.2
SUSE Linux Enterprise Module for Development Tools 15-SP2 (src):    xstream-1.4.17-3.11.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 8 Swamp Workflow Management 2021-07-11 13:31:37 UTC
openSUSE-SU-2021:1995-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1186651
CVE References: CVE-2021-29505
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    xstream-1.4.17-3.11.2
Comment 9 Robert Frohl 2022-04-07 12:00:34 UTC
done, closing