Lucene search

K
atlassian2e857505f334ATLASSIAN:CONFSERVER-69322
HistorySep 10, 2021 - 4:35 a.m.

XStream upgrade to 1.4.18

2021-09-1004:35:37
2e857505f334
jira.atlassian.com
20

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

6.5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

h3. Problem

XStream is vulnerable to security exploits such as highlighted in the image attached.
(i) The list of CVEs can be found in [https://x-stream.github.io/security.html]

This ticket tracks its upgrade to 1.4.18.
h3. Environment

Confluence v7.13
h3. Workaround

Set {{xstream.allowlist.enable}} sysprop to true. This is equivalent to XStream 1.4.18 behaviour and it exist in Confluence 7.10 and up. But it comes with a risk of broken third-party plugins which have not yet configured [xstream-security|https://confluence.atlassian.com/doc/xstream-1-4-upgrade-1026045605.html] module with their classes. Confirm with Third-party plugin vendors before toggling it if your Confluence instance uses a third-party plugin and it relies on XStream.

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

6.5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

Related for ATLASSIAN:CONFSERVER-69322