XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to occupy a thread that consumes maximum CPU time and will never return. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.
{
"unresolved_ranges": [
{
"vendor_product": "debian:debian_linux",
"cpes": [
"cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
"cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*",
"cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*"
],
"extracted_events": [
{
"introduced": "9.0"
},
{
"last_affected": "9.0"
},
{
"introduced": "10.0"
},
{
"last_affected": "10.0"
},
{
"introduced": "11.0"
},
{
"last_affected": "11.0"
}
],
"source": "CPE_STRING"
},
{
"vendor_product": "fedoraproject:fedora",
"cpes": [
"cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*",
"cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*",
"cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*"
],
"extracted_events": [
{
"introduced": "33"
},
{
"last_affected": "33"
},
{
"introduced": "34"
},
{
"last_affected": "34"
},
{
"introduced": "35"
},
{
"last_affected": "35"
}
],
"source": "CPE_STRING"
},
{
"cpes": [
"cpe:2.3:a:oracle:banking_enterprise_default_management:2.10.0:*:*:*:*:*:*:*",
"cpe:2.3:a:oracle:banking_enterprise_default_management:2.12.0:*:*:*:*:*:*:*"
],
"vendor_product": "oracle:banking_enterprise_default_management",
"extracted_events": [
{
"introduced": "2.10.0"
},
{
"last_affected": "2.10.0"
},
{
"introduced": "2.12.0"
},
{
"last_affected": "2.12.0"
}
],
"source": "CPE_STRING"
},
{
"vendor_product": "oracle:banking_platform",
"cpes": [
"cpe:2.3:a:oracle:banking_platform:2.12.0:*:*:*:*:*:*:*",
"cpe:2.3:a:oracle:banking_platform:2.4.0:*:*:*:*:*:*:*",
"cpe:2.3:a:oracle:banking_platform:2.7.1:*:*:*:*:*:*:*",
"cpe:2.3:a:oracle:banking_platform:2.9.0:*:*:*:*:*:*:*"
],
"source": "CPE_STRING",
"extracted_events": [
{
"introduced": "2.4.0"
},
{
"last_affected": "2.4.0"
},
{
"introduced": "2.7.1"
},
{
"last_affected": "2.7.1"
},
{
"introduced": "2.9.0"
},
{
"last_affected": "2.9.0"
},
{
"introduced": "2.12.0"
},
{
"last_affected": "2.12.0"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:banking_virtual_account_management:14.2.0:*:*:*:*:*:*:*",
"cpe:2.3:a:oracle:banking_virtual_account_management:14.3.0:*:*:*:*:*:*:*",
"cpe:2.3:a:oracle:banking_virtual_account_management:14.5.0:*:*:*:*:*:*:*"
],
"vendor_product": "oracle:banking_virtual_account_management",
"extracted_events": [
{
"introduced": "14.2.0"
},
{
"last_affected": "14.2.0"
},
{
"introduced": "14.3.0"
},
{
"last_affected": "14.3.0"
},
{
"introduced": "14.5.0"
},
{
"last_affected": "14.5.0"
}
],
"source": "CPE_STRING"
},
{
"vendor_product": "oracle:business_activity_monitoring",
"cpes": [
"cpe:2.3:a:oracle:business_activity_monitoring:11.1.1.9.0:*:*:*:*:*:*:*",
"cpe:2.3:a:oracle:business_activity_monitoring:12.2.1.3.0:*:*:*:*:*:*:*",
"cpe:2.3:a:oracle:business_activity_monitoring:12.2.1.4.0:*:*:*:*:*:*:*"
],
"extracted_events": [
{
"introduced": "11.1.1.9.0"
},
{
"last_affected": "11.1.1.9.0"
},
{
"introduced": "12.2.1.3.0"
},
{
"last_affected": "12.2.1.3.0"
},
{
"introduced": "12.2.1.4.0"
},
{
"last_affected": "12.2.1.4.0"
}
],
"source": "CPE_STRING"
},
{
"vendor_product": "oracle:communications_billing_and_revenue_management_elastic_charging_engine",
"cpes": [
"cpe:2.3:a:oracle:communications_billing_and_revenue_management_elastic_charging_engine:12.0.0.3.0:*:*:*:*:*:*:*"
],
"extracted_events": [
{
"introduced": "12.0.0.3.0"
},
{
"last_affected": "12.0.0.3.0"
}
],
"source": "CPE_STRING"
},
{
"vendor_product": "oracle:communications_policy_management",
"cpes": [
"cpe:2.3:a:oracle:communications_policy_management:12.5.0:*:*:*:*:*:*:*"
],
"source": "CPE_STRING",
"extracted_events": [
{
"introduced": "12.5.0"
},
{
"last_affected": "12.5.0"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.2:*:*:*:*:*:*:*",
"cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.4:*:*:*:*:*:*:*",
"cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.5:*:*:*:*:*:*:*",
"cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.0:*:*:*:*:*:*:*",
"cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.1:*:*:*:*:*:*:*"
],
"vendor_product": "oracle:communications_unified_inventory_management",
"extracted_events": [
{
"introduced": "7.3.2"
},
{
"last_affected": "7.3.2"
},
{
"introduced": "7.3.4"
},
{
"last_affected": "7.3.4"
},
{
"introduced": "7.3.5"
},
{
"last_affected": "7.3.5"
},
{
"introduced": "7.4.0"
},
{
"last_affected": "7.4.0"
},
{
"introduced": "7.4.1"
},
{
"last_affected": "7.4.1"
}
],
"source": "CPE_STRING"
},
{
"vendor_product": "oracle:retail_xstore_point_of_service",
"cpes": [
"cpe:2.3:a:oracle:retail_xstore_point_of_service:16.0.6:*:*:*:*:*:*:*",
"cpe:2.3:a:oracle:retail_xstore_point_of_service:17.0.4:*:*:*:*:*:*:*",
"cpe:2.3:a:oracle:retail_xstore_point_of_service:18.0.3:*:*:*:*:*:*:*",
"cpe:2.3:a:oracle:retail_xstore_point_of_service:19.0.2:*:*:*:*:*:*:*"
],
"extracted_events": [
{
"introduced": "16.0.6"
},
{
"last_affected": "16.0.6"
},
{
"introduced": "17.0.4"
},
{
"last_affected": "17.0.4"
},
{
"introduced": "18.0.3"
},
{
"last_affected": "18.0.3"
},
{
"introduced": "19.0.2"
},
{
"last_affected": "19.0.2"
}
],
"source": "CPE_STRING"
},
{
"vendor_product": "oracle:webcenter_portal",
"cpes": [
"cpe:2.3:a:oracle:webcenter_portal:11.1.1.9.0:*:*:*:*:*:*:*",
"cpe:2.3:a:oracle:webcenter_portal:12.2.1.3.0:*:*:*:*:*:*:*",
"cpe:2.3:a:oracle:webcenter_portal:12.2.1.4.0:*:*:*:*:*:*:*"
],
"extracted_events": [
{
"introduced": "11.1.1.9.0"
},
{
"last_affected": "11.1.1.9.0"
},
{
"introduced": "12.2.1.3.0"
},
{
"last_affected": "12.2.1.3.0"
},
{
"introduced": "12.2.1.4.0"
},
{
"last_affected": "12.2.1.4.0"
}
],
"source": "CPE_STRING"
}
]
}{
"cpe": [
"cpe:2.3:a:apache:activemq:*:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:activemq:5.16.0:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:activemq:5.16.1:*:*:*:*:*:*:*"
],
"source": [
"CPE_RANGE",
"CPE_STRING"
],
"extracted_events": [
{
"introduced": "0"
},
{
"fixed": "5.15.14"
},
{
"introduced": "5.16.0"
},
{
"last_affected": "5.16.0"
},
{
"introduced": "5.16.1"
},
{
"last_affected": "5.16.1"
}
]
}{
"cpe": "cpe:2.3:a:oracle:mysql_server:*:*:*:*:*:*:*:*",
"extracted_events": [
{
"introduced": "0"
},
{
"last_affected": "8.0.27"
}
],
"source": "CPE_RANGE"
}{
"cpe": "cpe:2.3:a:xstream:xstream:*:*:*:*:*:*:*:*",
"source": "CPE_RANGE",
"extracted_events": [
{
"introduced": "0"
},
{
"fixed": "1.4.16"
}
]
}