Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

update x-stream to 1.4.18 (from 1.4.17) #675

Closed
wants to merge 2 commits into from

Conversation

sseide
Copy link
Contributor

@sseide sseide commented Oct 21, 2021

Description

The latest update to xstream 1.4.18 contains fixes for 14 CVE (http://x-stream.github.io/changes.html)

Motivation and Context

Up to version 1.4.17 (before this update) xstream used an internal blacklist to block potential security threads on class (de)serialisation. With this new version they changed to an internal whitelist to allow safe operations only.

BUT - jmeter initalizes xstream with an empty security framework (no white/blacklist at all) in JMeterUtils.java
(https://github.com/apache/jmeter/blob/5f1995de244986c820ed47028ceedf9167004673/src/core/src/main/java/org/apache/jmeter/util/JMeterUtils.java#L1274:L1280), therefore i think the internal change in xstream does not change anything for jmeter.

On the other hand i am not really shure about the security implications of running without a list at all and if theses fixes really help...
Someone with a deeper understanding of jmeters usage of xstream should check where the serialisation is used and where the objects to searialize/unserialize came from (external/network or only internal).

How Has This Been Tested?

gradlew check runs without problem and used it for nearly 2 months ourself without any problem.

Screenshots (if appropriate):

Types of changes

  • Bug fix (non-breaking change which fixes an issue)

Checklist:

  • My code follows the code style of this project.
  • I have updated the documentation accordingly.

@asfgit asfgit closed this in 3c23246 Oct 26, 2021
@FSchumacher
Copy link
Contributor

Thanks for the PR

@sseide sseide deleted the update_xstream_1418 branch December 17, 2021 16:09
@johnynfulleffect
Copy link

@sseide @FSchumacher Just curious if this made it into any tags? I am seeing this vulnerability in my scans of my docker image when using rel/v5.4.3

@sseide
Copy link
Contributor Author

sseide commented Jan 6, 2022

no - it does not seems so.
@milamberspace startet the current release branched directly after 5.4.1 was released and fixed only the log4j issues with the newer releases 5.4.2 and 5.4.3. Nothing else.

All other updates (like the xstream one) are not released by now. Maybe Felix Schumacher or Milamber can say something about the next planned release 5.5. This one is nearly finished it seems looking at the commit history...

This pull request was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants