Security Bulletin
Summary
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream.
Vulnerability Details
Refer to the security bulletin(s) listed in the Remediation/Fixes section
Affected Products and Versions
| Affected Product(s) | Version(s) |
| UCD - IBM UrbanCode Deploy | 7.0.5.3 |
| UCD - IBM UrbanCode Deploy | 7.1.0.0 |
| UCD - IBM UrbanCode Deploy | 6.2.7.4 |
| UCD - IBM UrbanCode Deploy | 6.2.7.3 |
| UCD - IBM UrbanCode Deploy | 6.2.7.8 |
| UCD - IBM UrbanCode Deploy | 7.0.4.0 |
| UCD - IBM UrbanCode Deploy | 7.0.3.0 |
Remediation/Fixes
Update to IBM UrbanCode Deploy 7.1.0.1, 6.2.7.9, or 7.0.5.4 or later. These releases no longer include the xstream library, and therefore the following CVE's no longer apply:
CVE-2021-21351
CVE-2021-21341
CVE-2021-21344
CVE-2021-21348
CVE-2021-21345
CVE-2021-21342
CVE-2021-21346
CVE-2021-21343
CVE-2021-21347
CVE-2021-21349
CVE-2021-21350
Workarounds and Mitigations
None
Get Notified about Future Security Bulletins
References
Change History
29 Mar 2021: Initial Publication
Added hyperlinks to product versions mentioned and CVE's from the advisory. Can not appear to edit the "Vulnerability Details" line itself.
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Document Location
Worldwide
Was this topic helpful?
Document Information
Modified date:
13 April 2021
UID
ibm16442999