(RHSA-2014:0294) Important: XStream security update

2014-03-13T23:11:29
ID RHSA-2014:0294
Type redhat
Reporter RedHat
Modified 2019-02-20T17:13:39

Description

XStream is a simple library to serialize and de-serialize objects to and from XML.

It was found that XStream could deserialize arbitrary user-supplied XML content, representing objects of any type. A remote attacker able to pass XML to XStream could use this flaw to perform a variety of attacks, including remote code execution in the context of the server running the XStream application. (CVE-2013-7285)

The main distribution of Red Hat JBoss Data Virtualization 6.0.0 does not contain the vulnerable XStream library and is not vulnerable to CVE-2013-7285. Only users of Red Hat JBoss Data Virtualization 6.0.0 who installed an optional S-RAMP distribution as provided from the Red Hat Customer Portal are advised to apply this update.