Lucene search

K
ibmIBMEC044A02B0E22A7ED1DD2C720609594A00EB70394CDCBBA50C26D4638B96FC53
HistoryAug 23, 2021 - 5:41 a.m.

Security Bulletin: XStream (Publicly disclosed vulnerability)

2021-08-2305:41:20
www.ibm.com
29

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

6.5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

0.024 Low

EPSS

Percentile

88.3%

Summary

Impact The vulnerability may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream’s security framework with a allowlist limited to the minimal required types. Patches If you rely on XStream’s default blocklist of the Security Framework, you will have to use at least version 1.4.17.

Vulnerability Details

CVEID:CVE-2021-29505
**DESCRIPTION:**XStream XStream could allow a remote authenticated attacker to execute arbitrary commands on the system, caused by improper input validation. By manipulating the processed input stream, an attacker could exploit this vulnerability to execute arbitrary commands on the system.
CVSS Base score: 8.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/202795 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

Affected Product(s) Version(s)
ITNCM 6.4.2

Remediation/Fixes

Affected Product(s) Version(s) Remediation
ITNCM 6.4.2 Upgrade to ITNCM 6.4.2 Fix Pack 14 (6.4.2.14)

ITNCM 6.4.2 Fix Pack 14 can be downloaded from Fix Central

Workarounds and Mitigations

None

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

6.5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

0.024 Low

EPSS

Percentile

88.3%