Operating System:

[Ubuntu]

Published:

14 March 2023

Protect yourself against future threats.

//Service

Member Security Incident Notifications

Be proactive with your security and receive our daily Member Security Incident Notifications (MSINs) custom to your network.

Read more
Resources > Security Bulletins > ESB-2023.1536 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2023.1536
                    USN-5946-1: XStream vulnerabilities
                               14 March 2023

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           XStream
Publisher:         Ubuntu
Operating System:  Ubuntu
Resolution:        Patch/Upgrade
CVE Names:         CVE-2022-41966 CVE-2021-39154 CVE-2021-39153
                   CVE-2021-39152 CVE-2021-39151 CVE-2021-39150
                   CVE-2021-39149 CVE-2021-39148 CVE-2021-39147
                   CVE-2021-39146 CVE-2021-39145 CVE-2021-39144
                   CVE-2021-39141 CVE-2021-39140 CVE-2021-39139

Original Bulletin: 
   https://ubuntu.com/security/notices/USN-5946-1

Comment: CVSS (Max):  8.8 CVE-2021-39139 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
         CVSS Source: NVD
         Calculator:  https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

- --------------------------BEGIN INCLUDED TEXT--------------------

USN-5946-1: XStream vulnerabilities

13 March 2023

Several security issues were fixed in XStream.

Reduce your security exposure

Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and
Universe repositories, and it is free for up to five machines.

Learn more about Ubuntu Pro

Releases

  o Ubuntu 22.10
  o Ubuntu 22.04 LTS
  o Ubuntu 20.04 LTS
  o Ubuntu 18.04 LTS
  o Ubuntu 16.04 ESM
  o Ubuntu 14.04 ESM

Packages

  o libxstream-java - Java library to serialize objects to XML and back again

Details

Lai Han discovered that XStream incorrectly handled certain inputs.
If a user or an automated system were tricked into opening a specially crafted
input file, a remote attacker could possibly use this issue to cause a denial
of service. This issue only affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS.
( CVE-2021-39140 )

It was discovered that XStream incorrectly handled certain inputs. If
a user or an automated system were tricked into opening a specially crafted
input file, a remote attacker could possibly use this issue to execute
arbitrary code. This issue only affected Ubuntu 18.04 LTS and Ubuntu 20.04
LTS. ( CVE-2021-39139 , CVE-2021-39141 , CVE-2021-39144 , CVE-2021-39145 ,
CVE-2021-39146 , CVE-2021-39147 , CVE-2021-39148 , CVE-2021-39149 ,
CVE-2021-39151 , CVE-2021-39153 , CVE-2021-39154 )

It was discovered that XStream incorrectly handled certain inputs. If
a user or an automated system were tricked into opening a specially crafted
input file, a remote attacker could possibly use this issue to obtain
sensitive information. This issue only affected Ubuntu 18.04 LTS and
Ubuntu 20.04 LTS. ( CVE-2021-39150 , CVE-2021-39152 )

Lai Han discovered that XStream incorrectly handled certain inputs.
If a user or an automated system were tricked into opening a specially crafted
input file, a remote attacker could possibly use this issue to cause a denial
of service. ( CVE-2022-41966 )

Reduce your security exposure

Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and
Universe repositories, and it is free for up to five machines.

Learn more about Ubuntu Pro

Update instructions

The problem can be corrected by updating your system to the following package
versions:

Ubuntu 22.10

  o libxstream-java - 1.4.19-1ubuntu0.1

Ubuntu 22.04

  o libxstream-java - 1.4.18-2ubuntu0.1

Ubuntu 20.04

  o libxstream-java - 1.4.11.1-1ubuntu0.3

Ubuntu 18.04

  o libxstream-java - 1.4.11.1-1+deb10u4build0.18.04.1

Ubuntu 16.04

  o libxstream-java - 1.4.8-1ubuntu0.1+esm1
    Available with Ubuntu Pro

Ubuntu 14.04

  o libxstream-java - 1.4.7-1ubuntu0.1+esm1
    Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References

  o CVE-2021-39141
  o CVE-2021-39150
  o CVE-2021-39139
  o CVE-2021-39147
  o CVE-2021-39152
  o CVE-2021-39149
  o CVE-2021-39148
  o CVE-2022-41966
  o CVE-2021-39144
  o CVE-2021-39146
  o CVE-2021-39151
  o CVE-2021-39154
  o CVE-2021-39145
  o CVE-2021-39140
  o CVE-2021-39153

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/

iQIVAwUBZA/Zn8kNZI30y1K9AQhXpw/+ImBBjU1tfiTOBCuWKFyOIJjNIDk1Xt7R
X0Sw1B7o2an2GL/IdLh3BTNkQnkGFCe8REboENe1dGwhM4hmyLu3ywv5UqQaIyAC
CqxQEylfzpn/yr8tjdAOe0vYH59ySoRRLLKhFRIFr0OOSzfwkdtLcbUdG8tAOo1c
KS4MV3azjlXqP/54TzGwMWXqnSRfy/NHOkTAKtSIbziuDnj1MJQodXF/Al8FrI6z
WKBBPVrZf5i5NgRD4jypTm9MCpp0K/fMZdsgf3BP1qRwm9HzuTXzJfDtweQwBrRj
D4DKwIllkUqeglzgqxHvVmNkFBzWmJDEVtHx+HR2UNwYGOByY53tC5efBhrnnMUR
q6J4J32E651qafyTk2NWJ+JLkiG6avl6POLubd5zmsU60M3A+fEa8Z1UJfXpnHxj
PCs+K50bN4XHg5M62+9ActK5bJKXPf6JtgMHMvK7GK4wDoPEKBYKgP3oqf131g22
U6P0SCdtYGsAD7HsfROq25PkBiT2WUl5N+DIEwD1jIlwRlww6YTDYIiwtD9pChRQ
kiPuDRh0rgyI4muZvJndtbE5aiGE/oSe0OOF4AYB++v9GgVeXlpmIO1SnwMBqvhY
Vlz3/xIC/zg/hDyMUvloYEhD6G/KReWTtJhKmM4zbNw0C1/jj8g7bamp5XcG/btd
qukScMkVGyM=
=ni+L
-----END PGP SIGNATURE-----