View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0018351CentOS-7xstreampublic2021-11-12 17:282021-11-15 18:00
Reportermakashu Assigned To 
PriorityurgentSeveritymajorReproducibilityalways
Status newResolutionopen 
Platformx86_64OS3.10.0-1160.45.1.el7.x86_64OS Version7.9.2009
Product Version7.9.2009 
Summary0018351: XStream Arbitrary Code Execution And Multiple vulnerabilities
DescriptionThe current CentOS 7 version 7.9.2009(Kernel version: 3.10.0-1160.45.1.el7.x86_64) does not seems to have the latest fix in version 1.4.18 for the XStream library. The XStream version available on CentOS 7 is xstream-1.3.1.
This has been reported by Built-in Qualys vulnerability assessment on the Virtual Machine with CentOS 7 version with a CVSS base score( v2.0: 9.3, v3.0: 9.9)

As per the Remediation step, it points to https://x-stream.github.io/security.html which needs latest version i.e. 1.4.18 for the XStream library. Currently it seems that version 1.4.18 is available only for CentOS 8 at https://centos.pkgs.org/8/epel-x86_64/xstream-1.4.18-3.el8.noarch.rpm.html

Can I please request that security fix in 1.4.18 for XStream is available for CentOS 7 as well?
TagsNo tags attached.
abrt_hash
URL

Activities

TrevorH

TrevorH

2021-11-12 17:35

manager   ~0038732

The package changelog lists the following that have been patched this year:

* Tue Jun 08 2021 Marian Koncek <mkoncek@redhat.com> - 1.3.1-14
- Fix remote code execution vulnerability
- Resolves: CVE-2021-29505

* Tue Apr 13 2021 Marian Koncek <mkoncek@redhat.com> - 1.3.1-13
- Fix remote code execution vulnerability
- Resolves: CVE-2021-21344
- Resolves: CVE-2021-21345
- Resolves: CVE-2021-21346
- Resolves: CVE-2021-21347
- Resolves: CVE-2021-21350
makashu

makashu

2021-11-12 17:43

reporter   ~0038733

Thanks but the vulnerability is been reported for the following CVEs:

CVE-2021-39139
CVE-2021-39140
CVE-2021-39141
CVE-2021-39144
CVE-2021-39145
CVE-2021-39146
CVE-2021-39147
CVE-2021-39148
CVE-2021-39149
CVE-2021-39150
CVE-2021-39151
CVE-2021-39152
CVE-2021-39153
CVE-2021-39154
CVE-2021-29505
CVE-2021-21341
CVE-2021-21342
CVE-2021-21343
CVE-2021-21344
CVE-2021-21345
CVE-2021-21346
CVE-2021-21347
CVE-2021-21348
CVE-2021-21349
CVE-2021-21350
CVE-2021-21351
CVE-2020-26258
CVE-2020-26259
CVE-2020-26217
CVE-2017-7957
CVE-2016-3674
CVE-2013-7285
TrevorH

TrevorH

2021-11-12 18:07

manager   ~0038734

You will need to report this to Red Hat via bugzilla.redhat.com to get anything fixed. CentOS only rebuilds what RH make available for RHEL 7. You should probably check the CVE status on their CVE pages for each one in that list to see what they say about each one. For example, the oldest in the list is https://access.redhat.com/security/cve/CVE-2013-7285 and says it is unaffected for RHEL 7.
makashu

makashu

2021-11-15 18:00

reporter   ~0038735

Hi @TrevorH - Thanks for your inputs, I have created https://bugzilla.redhat.com/show_bug.cgi?id=2023445 to track the bug for RHEL 7

Issue History

Date Modified Username Field Change
2021-11-12 17:28 makashu New Issue
2021-11-12 17:35 TrevorH Note Added: 0038732
2021-11-12 17:43 makashu Note Added: 0038733
2021-11-12 18:07 TrevorH Note Added: 0038734
2021-11-15 18:00 makashu Note Added: 0038735