製品・ソフトウェアに関する情報

JVN脆弱性詳細

XStream におけるサーバサイドのリクエストフォージェリの脆弱性

タイトル	XStream におけるサーバサイドのリクエストフォージェリの脆弱性
概要	XStream には、サーバサイドのリクエストフォージェリの脆弱性、および信頼できないデータのデシリアライゼーションに関する脆弱性が存在します。
想定される影響	情報を取得される可能性があります。
対策	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
公表日	2021年3月13日0:00
登録日	2021年11月26日16:33
最終更新日	2021年11月26日16:33

CVSS3.0 : 重要
スコア	8.6
ベクター	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

CVSS2.0 : 警告
スコア	5
ベクター	AV:N/AC:L/Au:N/C:P/I:N/A:N

影響を受けるシステム

Debian

Debian GNU/Linux

Xstream

Xstream 1.4.16 未満

CVE (情報セキュリティ共通脆弱性識別子)

No	名前	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2021-21349	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21349
National Vulnerability Database (NVD)
2	CVE-2021-21349	https://nvd.nist.gov/vuln/detail/CVE-2021-21349
Vulnerabilities
3	CVE-2021-21349	https://x-stream.github.io/CVE-2021-21349.html

CWE (共通脆弱性タイプ一覧)

No	名前	URL
JVNDB
1	CWE-502	https://cwe.mitre.org/data/definitions/502.html
2	CWE-918	https://cwe.mitre.org/data/definitions/918.html

ベンダー情報

No	名前	URL
Change History
1	1.4.16	http://x-stream.github.io/changes.html#1.4.16
Debian
2	[SECURITY] [DLA 2616-1] libxstream-java security update	https://lists.debian.org/debian-lts-announce/2021/04/msg00002.html
Debian Security Advisory
3	DSA-5004-1	https://www.debian.org/security/2021/dsa-5004
GitHub
4	A Server-Side Forgery Request can be activated unmarshalling with XStream to access data streams from an arbitrary URL referencing a resource in an intranet or the local host	https://github.com/x-stream/xstream/security/advisories/GHSA-f6hm-88x3-mfjv
Security Aspects
5	Workarounds for older XStream versions	https://x-stream.github.io/security.html#workaround

変更履歴

No	変更内容	変更日
1	[2021年11月26日] 掲載	2021年11月26日16:33

NVD脆弱性情報

CVE-2021-21349

概要	XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.
公表日	2021年3月23日9:15
登録日	2021年3月23日16:02
最終更新日	2024年11月21日14:48

影響を受けるソフトウェアの構成

構成1		以上	以下	より上	未満
cpe:2.3:a:xstream_project:xstream::::::::					1.4.16

構成2	以上	以下	より上	未満
cpe:2.3:o:debian:debian_linux:9.0:::::::*
cpe:2.3:o:debian:debian_linux:10.0:::::::*
cpe:2.3:o:debian:debian_linux:11.0:::::::*

構成3	以上	以下	より上	未満
cpe:2.3:o:fedoraproject:fedora:33:::::::*
cpe:2.3:o:fedoraproject:fedora:34:::::::*
cpe:2.3:o:fedoraproject:fedora:35:::::::*

構成4	以上	以下	より上	未満
cpe:2.3:a:oracle:banking_platform:2.4.0:::::::*
cpe:2.3:a:oracle:webcenter_portal:12.2.1.3.0:::::::*
cpe:2.3:a:oracle:webcenter_portal:11.1.1.9.0:::::::*
cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.2:::::::*
cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.4:::::::*
cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.5:::::::*
cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.0:::::::*
cpe:2.3:a:oracle:communications_policy_management:12.5.0:::::::*
cpe:2.3:a:oracle:webcenter_portal:12.2.1.4.0:::::::*
cpe:2.3:a:oracle:banking_platform:2.7.1:::::::*
cpe:2.3:a:oracle:banking_platform:2.9.0:::::::*
cpe:2.3:a:oracle:banking_virtual_account_management:14.3.0:::::::*
cpe:2.3:a:oracle:communications_billing_and_revenue_management_elastic_charging_engine:12.0.0.3.0:::::::*
cpe:2.3:a:oracle:business_activity_monitoring:12.2.1.3.0:::::::*
cpe:2.3:a:oracle:business_activity_monitoring:11.1.1.9.0:::::::*
cpe:2.3:a:oracle:business_activity_monitoring:12.2.1.4.0:::::::*
cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.1:::::::*
cpe:2.3:a:oracle:retail_xstore_point_of_service:16.0.6:::::::*
cpe:2.3:a:oracle:retail_xstore_point_of_service:17.0.4:::::::*
cpe:2.3:a:oracle:retail_xstore_point_of_service:18.0.3:::::::*
cpe:2.3:a:oracle:retail_xstore_point_of_service:19.0.2:::::::*
cpe:2.3:a:oracle:banking_platform:2.12.0:::::::*
cpe:2.3:a:oracle:banking_virtual_account_management:14.2.0:::::::*
cpe:2.3:a:oracle:banking_virtual_account_management:14.5.0:::::::*
cpe:2.3:a:oracle:banking_enterprise_default_management:2.12.0:::::::*
cpe:2.3:a:oracle:banking_enterprise_default_management:2.10.0:::::::*
cpe:2.3:a:oracle:graalvm:21.3.0::::enterprise:::
cpe:2.3:a:oracle:graalvm:20.3.4::::enterprise:::
cpe:2.3:a:oracle:java_se:8u311:::::::*
cpe:2.3:a:oracle:java_se:7u321:::::::*

関連情報、対策とツール

No	URL	タグ
1	http://x-stream.github.io/changes.html#1.4.16	Release Notes Third Party Advisory
2	http://x-stream.github.io/changes.html#1.4.16	Release Notes Third Party Advisory
3	https://github.com/x-stream/xstream/security/advisories/GHSA-f6hm-88x3-mfjv	Third Party Advisory
4	https://github.com/x-stream/xstream/security/advisories/GHSA-f6hm-88x3-mfjv	Third Party Advisory
5	https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd%40%3Cusers.activemq.apache.org%3E
6	https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd%40%3Cusers.activemq.apache.org%3E
7	https://lists.apache.org/thread.html/r9ac71b047767205aa22e3a08cb33f3e0586de6b2fac48b425c6e16b0%40%3Cdev.jmeter.apache.org%3E
8	https://lists.apache.org/thread.html/r9ac71b047767205aa22e3a08cb33f3e0586de6b2fac48b425c6e16b0%40%3Cdev.jmeter.apache.org%3E
9	https://lists.debian.org/debian-lts-announce/2021/04/msg00002.html	Mailing List Third Party Advisory
10	https://lists.debian.org/debian-lts-announce/2021/04/msg00002.html	Mailing List Third Party Advisory
11	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/
12	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/
13	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/
14	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/
15	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/
16	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/
17	https://security.netapp.com/advisory/ntap-20210430-0002/	Third Party Advisory
18	https://security.netapp.com/advisory/ntap-20210430-0002/	Third Party Advisory
19	https://www.debian.org/security/2021/dsa-5004	Third Party Advisory
20	https://www.debian.org/security/2021/dsa-5004	Third Party Advisory
21	https://www.oracle.com//security-alerts/cpujul2021.html	Third Party Advisory
22	https://www.oracle.com//security-alerts/cpujul2021.html	Third Party Advisory
23	https://www.oracle.com/security-alerts/cpujan2022.html	Patch Vendor Advisory
24	https://www.oracle.com/security-alerts/cpujan2022.html	Patch Vendor Advisory
25	https://www.oracle.com/security-alerts/cpuoct2021.html	Third Party Advisory
26	https://www.oracle.com/security-alerts/cpuoct2021.html	Third Party Advisory
27	https://x-stream.github.io/CVE-2021-21349.html	Exploit Third Party Advisory
28	https://x-stream.github.io/CVE-2021-21349.html	Exploit Third Party Advisory
29	https://x-stream.github.io/security.html#workaround	Mitigation Third Party Advisory
30	https://x-stream.github.io/security.html#workaround	Mitigation Third Party Advisory

共通脆弱性一覧

構成4	以上	以下	より上	未満
cpe:2.3:a:oracle:banking_platform:2.4.0:::::::*
cpe:2.3:a:oracle:webcenter_portal:12.2.1.3.0:::::::*
cpe:2.3:a:oracle:webcenter_portal:11.1.1.9.0:::::::*
cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.2:::::::*
cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.4:::::::*
cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.5:::::::*
cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.0:::::::*
cpe:2.3:a:oracle:communications_policy_management:12.5.0:::::::*
cpe:2.3:a:oracle:webcenter_portal:12.2.1.4.0:::::::*
cpe:2.3:a:oracle:banking_platform:2.7.1:::::::*
cpe:2.3:a:oracle:banking_platform:2.9.0:::::::*
cpe:2.3:a:oracle:banking_virtual_account_management:14.3.0:::::::*
cpe:2.3:a:oracle:communications_billing_and_revenue_management_elastic_charging_engine:12.0.0.3.0:::::::*
cpe:2.3:a:oracle:business_activity_monitoring:12.2.1.3.0:::::::*
cpe:2.3:a:oracle:business_activity_monitoring:11.1.1.9.0:::::::*
cpe:2.3:a:oracle:business_activity_monitoring:12.2.1.4.0:::::::*
cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.1:::::::*
cpe:2.3:a:oracle:retail_xstore_point_of_service:16.0.6:::::::*
cpe:2.3:a:oracle:retail_xstore_point_of_service:17.0.4:::::::*
cpe:2.3:a:oracle:retail_xstore_point_of_service:18.0.3:::::::*
cpe:2.3:a:oracle:retail_xstore_point_of_service:19.0.2:::::::*
cpe:2.3:a:oracle:banking_platform:2.12.0:::::::*
cpe:2.3:a:oracle:banking_virtual_account_management:14.2.0:::::::*
cpe:2.3:a:oracle:banking_virtual_account_management:14.5.0:::::::*
cpe:2.3:a:oracle:banking_enterprise_default_management:2.12.0:::::::*
cpe:2.3:a:oracle:banking_enterprise_default_management:2.10.0:::::::*
cpe:2.3:a:oracle:graalvm:21.3.0::::enterprise:::
cpe:2.3:a:oracle:graalvm:20.3.4::::enterprise:::
cpe:2.3:a:oracle:java_se:8u311:::::::*
cpe:2.3:a:oracle:java_se:7u321:::::::*