Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2023.1536 USN-5946-1: XStream vulnerabilities 14 March 2023 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: XStream Publisher: Ubuntu Operating System: Ubuntu Resolution: Patch/Upgrade CVE Names: CVE-2022-41966 CVE-2021-39154 CVE-2021-39153 CVE-2021-39152 CVE-2021-39151 CVE-2021-39150 CVE-2021-39149 CVE-2021-39148 CVE-2021-39147 CVE-2021-39146 CVE-2021-39145 CVE-2021-39144 CVE-2021-39141 CVE-2021-39140 CVE-2021-39139 Original Bulletin: https://ubuntu.com/security/notices/USN-5946-1 Comment: CVSS (Max): 8.8 CVE-2021-39139 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) CVSS Source: NVD Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- USN-5946-1: XStream vulnerabilities 13 March 2023 Several security issues were fixed in XStream. Reduce your security exposure Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines. Learn more about Ubuntu Pro Releases o Ubuntu 22.10 o Ubuntu 22.04 LTS o Ubuntu 20.04 LTS o Ubuntu 18.04 LTS o Ubuntu 16.04 ESM o Ubuntu 14.04 ESM Packages o libxstream-java - Java library to serialize objects to XML and back again Details Lai Han discovered that XStream incorrectly handled certain inputs. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. ( CVE-2021-39140 ) It was discovered that XStream incorrectly handled certain inputs. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to execute arbitrary code. This issue only affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. ( CVE-2021-39139 , CVE-2021-39141 , CVE-2021-39144 , CVE-2021-39145 , CVE-2021-39146 , CVE-2021-39147 , CVE-2021-39148 , CVE-2021-39149 , CVE-2021-39151 , CVE-2021-39153 , CVE-2021-39154 ) It was discovered that XStream incorrectly handled certain inputs. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to obtain sensitive information. This issue only affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. ( CVE-2021-39150 , CVE-2021-39152 ) Lai Han discovered that XStream incorrectly handled certain inputs. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to cause a denial of service. ( CVE-2022-41966 ) Reduce your security exposure Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines. Learn more about Ubuntu Pro Update instructions The problem can be corrected by updating your system to the following package versions: Ubuntu 22.10 o libxstream-java - 1.4.19-1ubuntu0.1 Ubuntu 22.04 o libxstream-java - 1.4.18-2ubuntu0.1 Ubuntu 20.04 o libxstream-java - 1.4.11.1-1ubuntu0.3 Ubuntu 18.04 o libxstream-java - 1.4.11.1-1+deb10u4build0.18.04.1 Ubuntu 16.04 o libxstream-java - 1.4.8-1ubuntu0.1+esm1 Available with Ubuntu Pro Ubuntu 14.04 o libxstream-java - 1.4.7-1ubuntu0.1+esm1 Available with Ubuntu Pro In general, a standard system update will make all the necessary changes. References o CVE-2021-39141 o CVE-2021-39150 o CVE-2021-39139 o CVE-2021-39147 o CVE-2021-39152 o CVE-2021-39149 o CVE-2021-39148 o CVE-2022-41966 o CVE-2021-39144 o CVE-2021-39146 o CVE-2021-39151 o CVE-2021-39154 o CVE-2021-39145 o CVE-2021-39140 o CVE-2021-39153 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBZA/Zn8kNZI30y1K9AQhXpw/+ImBBjU1tfiTOBCuWKFyOIJjNIDk1Xt7R X0Sw1B7o2an2GL/IdLh3BTNkQnkGFCe8REboENe1dGwhM4hmyLu3ywv5UqQaIyAC CqxQEylfzpn/yr8tjdAOe0vYH59ySoRRLLKhFRIFr0OOSzfwkdtLcbUdG8tAOo1c KS4MV3azjlXqP/54TzGwMWXqnSRfy/NHOkTAKtSIbziuDnj1MJQodXF/Al8FrI6z WKBBPVrZf5i5NgRD4jypTm9MCpp0K/fMZdsgf3BP1qRwm9HzuTXzJfDtweQwBrRj D4DKwIllkUqeglzgqxHvVmNkFBzWmJDEVtHx+HR2UNwYGOByY53tC5efBhrnnMUR q6J4J32E651qafyTk2NWJ+JLkiG6avl6POLubd5zmsU60M3A+fEa8Z1UJfXpnHxj PCs+K50bN4XHg5M62+9ActK5bJKXPf6JtgMHMvK7GK4wDoPEKBYKgP3oqf131g22 U6P0SCdtYGsAD7HsfROq25PkBiT2WUl5N+DIEwD1jIlwRlww6YTDYIiwtD9pChRQ kiPuDRh0rgyI4muZvJndtbE5aiGE/oSe0OOF4AYB++v9GgVeXlpmIO1SnwMBqvhY Vlz3/xIC/zg/hDyMUvloYEhD6G/KReWTtJhKmM4zbNw0C1/jj8g7bamp5XcG/btd qukScMkVGyM= =ni+L -----END PGP SIGNATURE-----