{
  "threat_severity" : "Important",
  "public_date" : "2013-12-22T00:00:00Z",
  "bugzilla" : {
    "description" : "XStream: remote code execution due to insecure XML deserialization",
    "id" : "1051277",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1051277"
  },
  "cvss" : {
    "cvss_base_score" : "6.8",
    "cvss_scoring_vector" : "AV:N/AC:M/Au:N/C:P/I:P/A:P",
    "status" : "verified"
  },
  "cwe" : "CWE-94",
  "details" : [ "Xstream API versions up to 1.4.6 and version 1.4.10, if the security framework has not been initialized, may allow a remote attacker to run arbitrary shell commands by manipulating the processed input stream when unmarshaling XML or any supported format. e.g. JSON.", "It was found that XStream could deserialize arbitrary user-supplied XML content, representing objects of any type. A remote attacker able to pass XML to XStream could use this flaw to perform a variety of attacks, including remote code execution in the context of the server running the XStream application." ],
  "affected_release" : [ {
    "product_name" : "Fuse ESB Enterprise 7.1.0",
    "release_date" : "2014-04-30T00:00:00Z",
    "advisory" : "RHSA-2014:0452",
    "cpe" : "cpe:/a:redhat:fuse_esb_enterprise:7.1.0"
  }, {
    "product_name" : "Fuse Management Console 7.1.0",
    "release_date" : "2014-04-30T00:00:00Z",
    "advisory" : "RHSA-2014:0452",
    "cpe" : "cpe:/a:redhat:fuse_management_console:7.1.0"
  }, {
    "product_name" : "Fuse MQ Enterprise 7.1.0",
    "release_date" : "2014-04-30T00:00:00Z",
    "advisory" : "RHSA-2014:0452",
    "cpe" : "cpe:/a:redhat:fuse_mq_enterprise:7.1.0"
  }, {
    "product_name" : "JBoss Enterprise BRMS Platform 5.3",
    "release_date" : "2014-08-05T00:00:00Z",
    "advisory" : "RHSA-2014:1007",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_brms_platform:5.3",
    "package" : "xstream"
  }, {
    "product_name" : "Red Hat JBoss A-MQ 6.0",
    "release_date" : "2014-03-24T00:00:00Z",
    "advisory" : "RHSA-2014:0323",
    "cpe" : "cpe:/a:redhat:jboss_amq:6.0.0"
  }, {
    "product_name" : "Red Hat JBoss BPMS 6.0",
    "release_date" : "2014-04-03T00:00:00Z",
    "advisory" : "RHSA-2014:0371",
    "cpe" : "cpe:/a:redhat:jboss_bpms:6.0",
    "package" : "xstream"
  }, {
    "product_name" : "Red Hat JBoss BRMS 6.0",
    "release_date" : "2014-04-03T00:00:00Z",
    "advisory" : "RHSA-2014:0372",
    "cpe" : "cpe:/a:redhat:jboss_brms:6.0",
    "package" : "xstream"
  }, {
    "product_name" : "Red Hat JBoss Data Grid 6.2",
    "release_date" : "2014-04-03T00:00:00Z",
    "advisory" : "RHSA-2014:0374",
    "cpe" : "cpe:/a:redhat:jboss_data_grid:6.2.1",
    "package" : "xstream"
  }, {
    "product_name" : "Red Hat JBoss Data Virtualization 6.0",
    "release_date" : "2014-03-13T00:00:00Z",
    "advisory" : "RHSA-2014:0294",
    "cpe" : "cpe:/a:redhat:jboss_data_virtualization:6.0",
    "package" : "xstream"
  }, {
    "product_name" : "Red Hat JBoss Fuse 6.0",
    "release_date" : "2014-03-24T00:00:00Z",
    "advisory" : "RHSA-2014:0323",
    "cpe" : "cpe:/a:redhat:jboss_fuse:6.0.0"
  }, {
    "product_name" : "Red Hat JBoss Fuse Service Works 6.0",
    "release_date" : "2014-02-26T00:00:00Z",
    "advisory" : "RHSA-2014:0216",
    "cpe" : "cpe:/a:redhat:jboss_fuse_service_works:6.0",
    "package" : "xstream"
  }, {
    "product_name" : "Red Hat JBoss Portal 5.2",
    "release_date" : "2014-08-14T00:00:00Z",
    "advisory" : "RHSA-2014:1059",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_portal_platform:5.2.2",
    "package" : "xstream"
  }, {
    "product_name" : "Red Hat JBoss Portal 6.2",
    "release_date" : "2015-05-14T00:00:00Z",
    "advisory" : "RHSA-2015:1009",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_portal_platform:6.2",
    "package" : "xstream"
  }, {
    "product_name" : "Red Hat JBoss SOA Platform 5.3",
    "release_date" : "2015-10-12T00:00:00Z",
    "advisory" : "RHSA-2015:1888",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_soa_platform:5.3",
    "package" : "xstream"
  }, {
    "product_name" : "RHEV Manager version 3.3",
    "release_date" : "2014-04-09T00:00:00Z",
    "advisory" : "RHSA-2014:0389",
    "cpe" : "cpe:/a:redhat:rhev_manager:3",
    "package" : "jasperreports-server-pro-0:5.5.0-6.el6ev"
  } ],
  "package_state" : [ {
    "product_name" : "OpenShift Enterprise 1",
    "fix_state" : "Will not fix",
    "package_name" : "xstream",
    "cpe" : "cpe:/a:redhat:openshift:1"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "xstream",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat JBoss SOA Platform 4",
    "fix_state" : "Will not fix",
    "package_name" : "xstream",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_soa_platform:4"
  }, {
    "product_name" : "Red Hat OpenShift Enterprise 2",
    "fix_state" : "Affected",
    "package_name" : "xstream",
    "cpe" : "cpe:/a:redhat:openshift:2"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2013-7285\nhttps://nvd.nist.gov/vuln/detail/CVE-2013-7285\nhttp://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html\nhttp://xstream.codehaus.org/security.html\nhttps://securityblog.redhat.com/2014/01/23/java-deserialization-flaws-part-2-xml-deserialization/" ],
  "name" : "CVE-2013-7285",
  "csaw" : false
}