Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Fri, 10 Jan 2014 10:07:57 +1000
From: David Jorm <djorm@...hat.com>
To: cve-assign@...re.org
CC: oss-security@...ts.openwall.com
Subject: Re: CVE request: remote code execution via deserialization in XStream

On 01/10/2014 09:46 AM, cve-assign@...re.org wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>> http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html
> Use CVE-2013-7285.
>
> At least initially, the scope of this CVE is "XStream is an
> 'reflection-based XML-to-Object conversion'" in that file, and all of
> the implications of unrestricted conversion, including "allows the
> creation of server side objects based on reflection (which means that
> you could have all sorts of business-logic sensitive objects being
> created)" -- which is mentioned separately in that file.
>
> If this does not make sense, and multiple CVEs are needed, please let
> us know.
>
> - -- 
> CVE assignment team, MITRE CVE Numbering Authority
> M/S M300
> 202 Burlington Road, Bedford, MA 01730 USA
> [ PGP key available through http://cve.mitre.org/cve/request_id.html ]
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.14 (SunOS)
>
> iQEcBAEBAgAGBQJSzzPZAAoJEKllVAevmvms3cEH/3MBAH57R/LhQfI5ZMUm9FOD
> eZm7p9IGl3PpSMtrwqSNwXS6InpfAmc04P0xX/HM4yFSRX6yHVaTZA9vbNGRs6PV
> VdZg/A+WiUwdBdGhsFfXCb82QvCthdxyv6AAK5uNpVqQTqmikVPNk8gYxcHXZz3+
> xUmUGLxwlCtImSZ1WiZMSCMYul3jsFsuOiVlqHF2NBoXh+55xmy8hLTOCUijILeG
> lAXfMo25S971OJalr5pzGUC2EPUclV5D08+jv3KCNqryNphsepa3+14OKrvvz1yX
> Q19c3+suDKWOUDvur9ENeHkf//Va881GNGZkcvppfvIkYCMI3vKFaWGMYRWR+jE=
> =Jkgd
> -----END PGP SIGNATURE-----

That makes sense, and I think a single CVE ID is all that is needed in 
this case.

Thanks
David

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ