Skip to content

update x-stream to 1.4.18 (from 1.4.17) #675

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
sseide wants to merge 2 commits into from
Closed

update x-stream to 1.4.18 (from 1.4.17) #675

sseide wants to merge 2 commits into from

Conversation

@sseide
Copy link
Contributor

@sseide sseide commented Oct 21, 2021

Description

The latest update to xstream 1.4.18 contains fixes for 14 CVE (http://x-stream.github.io/changes.html)

Motivation and Context

Up to version 1.4.17 (before this update) xstream used an internal blacklist to block potential security threads on class (de)serialisation. With this new version they changed to an internal whitelist to allow safe operations only.

BUT - jmeter initalizes xstream with an empty security framework (no white/blacklist at all) in JMeterUtils.java
(https://github.com/apache/jmeter/blob/5f1995de244986c820ed47028ceedf9167004673/src/core/src/main/java/org/apache/jmeter/util/JMeterUtils.java#L1274:L1280), therefore i think the internal change in xstream does not change anything for jmeter.

On the other hand i am not really shure about the security implications of running without a list at all and if theses fixes really help...
Someone with a deeper understanding of jmeters usage of xstream should check where the serialisation is used and where the objects to searialize/unserialize came from (external/network or only internal).

How Has This Been Tested?

gradlew check runs without problem and used it for nearly 2 months ourself without any problem.

Screenshots (if appropriate):

Types of changes

  • Bug fix (non-breaking change which fixes an issue)

Checklist:

  • My code follows the code style of this project.
  • I have updated the documentation accordingly.

@asfgit asfgit closed this in 3c23246 Oct 26, 2021
@FSchumacher
Copy link
Contributor

FSchumacher commented Oct 26, 2021

Thanks for the PR

@sseide sseide deleted the update_xstream_1418 branch December 17, 2021 16:09
@johnynfulleffect
Copy link

johnynfulleffect commented Jan 6, 2022

@sseide @FSchumacher Just curious if this made it into any tags? I am seeing this vulnerability in my scans of my docker image when using rel/v5.4.3

@sseide
Copy link
Contributor Author

sseide commented Jan 6, 2022

no - it does not seems so.
@milamberspace startet the current release branched directly after 5.4.1 was released and fixed only the log4j issues with the newer releases 5.4.2 and 5.4.3. Nothing else.

All other updates (like the xstream one) are not released by now. Maybe Felix Schumacher or Milamber can say something about the next planned release 5.5. This one is nearly finished it seems looking at the commit history...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@sseide @FSchumacher @johnynfulleffect