Groups keyboard shortcuts have been updated
Dismiss
See shortcuts

VULNDB-264109 / CNVD-2021-40246 / CNVD-2021-40248 affecting 1.4.17

69 views
Skip to first unread message

Wadeck Follonier

unread,
Aug 12, 2021, 4:40:28 AM8/12/21
to XStream User
Hello there,

We are using Anchore to scan our code and it detected a vulnerability VULNDB-264109, in XStream 1.4.17 with as the only information, the two "CVE"s provided in the title. The two references do not contain any security information to let us understand what is the problem, how to fix it, etc.

References:

So, do you have any information / guidance for us about how to manage this?

My gut feeling at this moment is that they considered https://github.com/x-stream/xstream/commit/652d72f38b33938c54fd3b2ef626cb7dce38001c as being a security correction (looking at the dates). If it's a real vulnerability, it would feel like a public premature disclosure (without any information disclosed...)

Best regards,

Wadeck Follonier
Jenkins Security team

Maya Nakim

unread,
Aug 12, 2021, 9:38:44 AM8/12/21
to XStream User
Hi,
We hit the same issue.
Can you please share the timelines for releasing 1.4.18?

Jörg Schaible

unread,
Aug 12, 2021, 5:54:20 PM8/12/21
to XStream User
Hi Wadeck,

On Thursday, 12. August 2021, 10:40:28 CEST Wadeck Follonier wrote:
> Hello there,
>
> We are using Anchore to scan our code and it detected a vulnerability
> VULNDB-264109, in XStream 1.4.17 with as the only information, the two
> "CVE"s provided in the title. The two references do not contain any
> security information to let us understand what is the problem, how to fix
> it, etc.
>
> References:
> - https://www.cnvd.org.cn/flaw/show/CNVD-2021-40246
> - https://www.cnvd.org.cn/flaw/show/CNVD-2021-40248
>
> So, do you have any information / guidance for us about how to manage this?

Actually I have no clue about the content of those reports, I cannot read them
and I didn't know that they are existing. However, I have been flooded with
security issues and my complete spare time in the last month were filled with
writing CVE reports.

> My gut feeling at this moment is that they
> considered
> https://github.com/x-stream/xstream/commit/652d72f38b33938c54fd3b2ef626cb7d
> ce38001c as being a security correction (looking at the dates). If it's a
> real vulnerability, it would feel like a public premature disclosure
> (without any information disclosed...)

Any issue targets the default black list in combination with some stuff in the
Java runtime. Since I have better things to do than writing CVE reports, next
XStream version will install a whitelist by default.

> Best regards,
>
> Wadeck Follonier
> Jenkins Security team

AFAICS, Jenkins uses its own security model in combination with XStream. In
this case don't think it is affected by any of the reports.

Regards,
Jörg


Jörg Schaible

unread,
Aug 12, 2021, 5:57:46 PM8/12/21
to XStream User
Hi Maya,

On Thursday, 12. August 2021, 15:38:43 CEST 'Maya Nakim' wrote via XStream
User:
> Hi,
> We hit the same issue.
> Can you please share the timelines for releasing 1.4.18?

It depends on my spare time. However, most of the work is done now. Anyway,
noone is affected who uses already a whitelist as recommended since years. With
1.4.18 you *will* use this whitelist unless you explicitly disable it - with
all consequences.

Regards,
Jörg


Wadeck Follonier

unread,
Aug 13, 2021, 2:47:22 AM8/13/21
to xstrea...@googlegroups.com
Hello Jörg,

> AFAICS, Jenkins uses its own security model in combination with XStream

Exactly, we have our own kind of allow-list to prevent deserialization issues. 

> Since I have better things to do than writing CVE reports

Total empathy :-)

Thank you very much for your answers, that will let me sleep better!

Best regards,

Wadeck

--
You received this message because you are subscribed to a topic in the Google Groups "XStream User" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/xstream-user/gdcSt7osqD4/unsubscribe.
To unsubscribe from this group and all its topics, send an email to xstream-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/xstream-user/5196940.57e0S5GHbW%40floh.
Reply all
Reply to author
Forward
0 new messages