XStream is an open source java library to serialize objects to XML and back again. Versions prior to 1.4.19 may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream. XStream 1.4.19 monitors and accumulates the time it takes to add elements to collections and throws an exception if a set threshold is exceeded. Users are advised to upgrade as soon as possible. Users unable to upgrade may set the NO_REFERENCE mode to prevent recursion. See GHSA-rmr5-cpv2-vgjf for further details on a workaround if an upgrade is not possible.

This plugin has been deprecated as it does not adhere to established standards for this style of check.

The 12.2.1.3.0 and 12.2.1.4.0 versions of WebCenter Sites installed on the remote host are affected by multiple vulnerabilities as referenced in the October 2022 CPU advisory.

  - Vulnerability in the Oracle WebCenter Sites product of Oracle Fusion Middleware (component: Centralized Thirdparty     Jars (dojo)). Supported versions that are affected are 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability     allows unauthenticated attacker with network access via HTTP to compromise Oracle WebCenter Sites. Successful     attacks of this vulnerability can result in takeover of Oracle WebCenter Sites. (CVE-2021-23450)

  - Vulnerability in the Oracle WebCenter Sites product of Oracle Fusion Middleware (component: WebCenter Sites     (XStream)). Supported versions that are affected are 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability     allows unauthenticated attacker with network access via HTTP to compromise Oracle WebCenter Sites. Successful     attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash     (complete DOS) of Oracle WebCenter Sites. (CVE-2021-43859)

  - Vulnerability in the Oracle WebCenter Sites product of Oracle Fusion Middleware (component: WebCenter Sites     (CKEditor)). Supported versions that are affected are 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability     allows unauthenticated attacker with network access via HTTP to compromise Oracle WebCenter Sites. Successful     attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash     (complete DOS) of Oracle WebCenter Sites. (CVE-2022-24729)

  - CVE-2022-32532	Vulnerability in the Oracle WebCenter Sites product of Oracle Fusion Middleware (component:     WebCenter Sites (Apache Shiro)). Supported versions that are affected are 12.2.1.3.0 and 12.2.1.4.0. Easily     exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle     WebCenter Sites. Successful attacks of this vulnerability can result in takeover of Oracle WebCenter Sites.     (CVE-2022-32532)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Oracle WebCenter Portal installed on the remote host is missing a security patch from the Oct 2022 Critical Patch Update (CPU). It is, therefore, affected by multiple vulnerabilites:

  - Vulnerability in the Oracle Communications Convergence product of Oracle Communications Applications (component:     Framework (dojo)). The supported version that is affected is 3.0.3.0. Easily exploitable vulnerability allows     unauthenticated attacker with network access via HTTP to compromise Oracle Communications Convergence. Successful     attacks of this vulnerability can result in takeover of Oracle Communications Convergence. (CVE-2021-23450)

  - Vulnerability in the Oracle WebCenter Portal product of Oracle Fusion Middleware (component: Security Framework     (jackson-databind)). Supported versions that are affected are 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable     vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebCenter Portal.     Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently     repeatable crash (complete DOS) of Oracle WebCenter Portal. (CVE-2020-36518)

  - Vulnerability in the Oracle WebCenter Portal product of Oracle Fusion Middleware (component: Security Framework     (Apache Santuario XML Security For Java)). Supported versions that are affected are 12.2.1.3.0 and 12.2.1.4.0.     Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle     WebCenter Portal. Successful attacks of this vulnerability can result in unauthorized access to critical data or     complete access to all Oracle WebCenter Portal accessible data. (CVE-2021-40690)

Note that Nessus has not attempted to exploit this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2022:1420 advisory.

    Red Hat OpenShift Container Platform is Red Hat's cloud computing     Kubernetes application platform solution designed for on-premise or private     cloud deployments.

    This advisory contains the RPM packages for Red Hat OpenShift Container     Platform 3.11.685. See the following advisory for the container images for this release:

    https://access.redhat.com/errata/RHBA-2022:1421

    Space precludes documenting all of the container images in this advisory. See the following Release Notes     documentation, which will be updated shortly for this release, for details about these changes:

    https://docs.openshift.com/container-platform/3.11/release_notes/ocp_3_11_release_notes.html

    Security Fix(es):

    * workflow-cps: OS command execution through crafted SCM contents (CVE-2022-25173)

    * workflow-cps-global-lib: OS command execution through crafted SCM contents (CVE-2022-25174)

    * workflow-multibranch: OS command execution through crafted SCM contents (CVE-2022-25175)

    * workflow-cps-global-lib: Sandbox bypass vulnerability (CVE-2022-25181)

    * workflow-cps-global-lib: Sandbox bypass vulnerability (CVE-2022-25182)

    * workflow-cps-global-lib: Sandbox bypass vulnerability (CVE-2022-25183)

    * xstream: Injecting highly recursive collections or maps can cause a DoS (CVE-2021-43859)

    * workflow-cps: Pipeline-related plugins follow symbolic links or do not limit path names (CVE-2022-25176)

    * workflow-cps-global-lib: Pipeline-related plugins follow symbolic links or do not limit path names     (CVE-2022-25177)

    * workflow-cps-global-lib: Pipeline-related plugins follow symbolic links or do not limit path names     (CVE-2022-25178)

    * workflow-multibranch: Pipeline-related plugins follow symbolic links or do not limit path names     (CVE-2022-25179)

    * workflow-cps: Password parameters are included from the original build in replayed builds     (CVE-2022-25180)

    * pipeline-build-step: Password parameter default values exposed (CVE-2022-25184)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SUSE15 host has packages installed that are affected by a vulnerability as referenced in the openSUSE-SU-2022:0817-1 advisory.

  - XStream is an open source java library to serialize objects to XML and back again. Versions prior to     1.4.19 may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or     parallel execution of such a payload resulting in a denial of service only by manipulating the processed     input stream. XStream 1.4.19 monitors and accumulates the time it takes to add elements to collections and     throws an exception if a set threshold is exceeded. Users are advised to upgrade as soon as possible.
    Users unable to upgrade may set the NO_REFERENCE mode to prevent recursion. See GHSA-rmr5-cpv2-vgjf for     further details on a workaround if an upgrade is not possible. (CVE-2021-43859)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLED15 / SLED_SAP15 / SLES15 / SLES_SAP15 host has a package installed that is affected by a vulnerability as referenced in the SUSE-SU-2022:0817-1 advisory.

  - XStream is an open source java library to serialize objects to XML and back again. Versions prior to     1.4.19 may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or     parallel execution of such a payload resulting in a denial of service only by manipulating the processed     input stream. XStream 1.4.19 monitors and accumulates the time it takes to add elements to collections and     throws an exception if a set threshold is exceeded. Users are advised to upgrade as soon as possible.
    Users unable to upgrade may set the NO_REFERENCE mode to prevent recursion. See GHSA-rmr5-cpv2-vgjf for     further details on a workaround if an upgrade is not possible. (CVE-2021-43859)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of Jenkins Enterprise or Jenkins Operations Center running on the remote web server is 2.277.x prior to 2.277.43.0.6, 2.303.x prior to 2.303.30.0.5, or 2.x prior to 2.319.3.3. It is, therefore, affected by multiple vulnerabilities:

  - XStream is an open source java library to serialize objects to XML and back again. Versions prior to     1.4.19 may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or     parallel execution of such a payload resulting in a denial of service only by manipulating the processed     input stream. XStream 1.4.19 monitors and accumulates the time it takes to add elements to collections and     throws an exception if a set threshold is exceeded. Users are advised to upgrade as soon as possible.
    Users unable to upgrade may set the NO_REFERENCE mode to prevent recursion. See GHSA-rmr5-cpv2-vgjf for     further details on a workaround if an upgrade is not possible. (CVE-2021-43859)

  - Jenkins 2.333 and earlier, LTS 2.319.2 and earlier defines custom XStream converters that have not been     updated to apply the protections for the vulnerability CVE-2021-43859 and allow unconstrained resource usage. (CVE-2022-0538)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Debian 9 host has a package installed that is affected by a vulnerability as referenced in the dla-2924 advisory.

  - XStream is an open source java library to serialize objects to XML and back again. Versions prior to     1.4.19 may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or     parallel execution of such a payload resulting in a denial of service only by manipulating the processed     input stream. XStream 1.4.19 monitors and accumulates the time it takes to add elements to collections and     throws an exception if a set threshold is exceeded. Users are advised to upgrade as soon as possible.
    Users unable to upgrade may set the NO_REFERENCE mode to prevent recursion. See GHSA-rmr5-cpv2-vgjf for     further details on a workaround if an upgrade is not possible. (CVE-2021-43859)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the 0b0ad196-1ee8-4a98-89b1-4d5d82af49a9 advisory.

  - XStream is an open source java library to serialize objects to XML and back again. Versions prior to     1.4.19 may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or     parallel execution of such a payload resulting in a denial of service only by manipulating the processed     input stream. XStream 1.4.19 monitors and accumulates the time it takes to add elements to collections and     throws an exception if a set threshold is exceeded. Users are advised to upgrade as soon as possible.
    Users unable to upgrade may set the NO_REFERENCE mode to prevent recursion. See GHSA-rmr5-cpv2-vgjf for     further details on a workaround if an upgrade is not possible. (CVE-2021-43859)

  - Jenkins 2.333 and earlier, LTS 2.319.2 and earlier defines custom XStream converters that have not been     updated to apply the protections for the vulnerability CVE-2021-43859 and allow unconstrained resource     usage. (CVE-2022-0538)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

According to its its self-reported version number, the version of Jenkins running on the remote web server is Jenkins LTS prior to 2.319.3 or Jenkins weekly prior to 2.334. It is, therefore, affected by multiple vulnerabilities:

  - XStream is an open source java library to serialize objects to XML and back again. Versions prior to     1.4.19 may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or     parallel execution of such a payload resulting in a denial of service only by manipulating the processed     input stream. XStream 1.4.19 monitors and accumulates the time it takes to add elements to collections and     throws an exception if a set threshold is exceeded. Users are advised to upgrade as soon as possible.
    Users unable to upgrade may set the NO_REFERENCE mode to prevent recursion. See GHSA-rmr5-cpv2-vgjf for     further details on a workaround if an upgrade is not possible. (CVE-2021-43859)

  - Jenkins 2.333 and earlier, LTS 2.319.2 and earlier defines custom XStream converters that have not been     updated to apply the protections for the vulnerability CVE-2021-43859 and allow unconstrained resource     usage. (CVE-2022-0538)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
196408	RHEL 7 : xstream (Unpatched Vulnerability) (deprecated)	Nessus	Red Hat Local Security Checks	critical
166377	Oracle WebCenter Sites (Oct 2022 CPU)	Nessus	Windows	critical
166335	Oracle WebCenter Portal Multiple Vulnerabilities (Oct 2022 CPU)	Nessus	Misc.	critical
160255	RHEL 7 : OpenShift Container Platform 3.11.685 (RHSA-2022:1420)	Nessus	Red Hat Local Security Checks	high
159047	openSUSE 15 Security Update : xstream (openSUSE-SU-2022:0817-1)	Nessus	SuSE Local Security Checks	high
158908	SUSE SLED15 / SLES15 Security Update : xstream (SUSE-SU-2022:0817-1)	Nessus	SuSE Local Security Checks	high
158672	Jenkins Enterprise and Operations Center 2.277.x < 2.277.43.0.6 / 2.303.x < 2.303.30.0.5 / 2.319.3.3 Multiple DoS (CloudBees Security Advisory 2022-02-09)	Nessus	CGI abuses	high
158084	Debian DLA-2924-1 : libxstream-java - LTS security update	Nessus	Debian Local Security Checks	high
157887	FreeBSD : jenkins -- DoS vulnerability in bundled XStream library (0b0ad196-1ee8-4a98-89b1-4d5d82af49a9)	Nessus	FreeBSD Local Security Checks	high
157860	Jenkins LTS < 2.319.3 / Jenkins weekly < 2.334 Multiple Vulnerabilities	Nessus	CGI abuses	high

Detections

Analytics

CVE-2021-43859

high

Tenable Plugins

critical

critical

critical

high

high

high

high

high

high

high