Security update for bea-stax, xstream SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2024:4037-1 Final 1 1 2024-11-19T08:48:56Z current 2024-11-19T08:48:56Z 2024-11-19T08:48:56Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for bea-stax, xstream This update for bea-stax, xstream fixes the following issues: - CVE-2024-47072: Fixed possible remote denial-of-service via a stack overflow (bsc#1233085). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Container bci/kiwi:latest-2024-4037,Container suse/manager/5.0/x86_64/server:latest-2024-4037,Image SLES15-SP4-Manager-Server-4-3-2024-4037,Image SLES15-SP4-Manager-Server-4-3-Azure-llc-2024-4037,Image SLES15-SP4-Manager-Server-4-3-Azure-ltd-2024-4037,Image SLES15-SP4-Manager-Server-4-3-BYOS-2024-4037,Image SLES15-SP4-Manager-Server-4-3-BYOS-Azure-2024-4037,Image SLES15-SP4-Manager-Server-4-3-BYOS-EC2-2024-4037,Image SLES15-SP4-Manager-Server-4-3-BYOS-GCE-2024-4037,Image server-image-2024-4037,SUSE-2024-4037,SUSE-SLE-Module-Basesystem-15-SP5-2024-4037,SUSE-SLE-Module-Basesystem-15-SP6-2024-4037,SUSE-SLE-Module-Development-Tools-15-SP5-2024-4037,SUSE-SLE-Module-Development-Tools-15-SP6-2024-4037,SUSE-SLE-Module-SUSE-Manager-Server-4.3-2024-4037,SUSE-SLE-Product-HPC-15-SP2-LTSS-2024-4037,SUSE-SLE-Product-HPC-15-SP3-LTSS-2024-4037,SUSE-SLE-Product-HPC-15-SP4-ESPOS-2024-4037,SUSE-SLE-Product-HPC-15-SP4-LTSS-2024-4037,SUSE-SLE-Product-SLED-15-SP4-LTSS-2024-4037,SUSE-SLE-Product-SLES-15-SP2-LTSS-2024-4037,SUSE-SLE-Product-SLES-15-SP3-LTSS-2024-4037,SUSE-SLE-Product-SLES-15-SP4-LTSS-2024-4037,SUSE-SLE-Product-SLES_SAP-15-SP2-2024-4037,SUSE-SLE-Product-SLES_SAP-15-SP3-2024-4037,SUSE-SLE-Product-SLES_SAP-15-SP4-2024-4037,SUSE-SLE-Product-SUSE-Manager-Proxy-4.3-2024-4037,SUSE-SLE-Product-SUSE-Manager-Server-4.3-2024-4037,SUSE-Storage-7.1-2024-4037,openSUSE-SLE-15.5-2024-4037,openSUSE-SLE-15.6-2024-4037 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2024/suse-su-20244037-1/ Link for SUSE-SU-2024:4037-1 https://lists.suse.com/pipermail/sle-security-updates/2024-November/019839.html E-Mail link for SUSE-SU-2024:4037-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1233085 SUSE Bug 1233085 https://www.suse.com/security/cve/CVE-2024-47072/ SUSE CVE CVE-2024-47072 page Container bci/kiwi:latest Container suse/manager/5.0/x86_64/server:latest Image SLES15-SP4-Manager-Server-4-3 Image SLES15-SP4-Manager-Server-4-3-Azure-llc Image SLES15-SP4-Manager-Server-4-3-Azure-ltd Image SLES15-SP4-Manager-Server-4-3-BYOS Image SLES15-SP4-Manager-Server-4-3-BYOS-Azure Image SLES15-SP4-Manager-Server-4-3-BYOS-EC2 Image SLES15-SP4-Manager-Server-4-3-BYOS-GCE Image server-image SUSE Enterprise Storage 7.1 SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS SUSE Linux Enterprise Module for Basesystem 15 SP5 SUSE Linux Enterprise Module for Basesystem 15 SP6 SUSE Linux Enterprise Module for Development Tools 15 SP5 SUSE Linux Enterprise Module for Development Tools 15 SP6 SUSE Linux Enterprise Server 15 SP2-LTSS SUSE Linux Enterprise Server 15 SP3-LTSS SUSE Linux Enterprise Server 15 SP4-LTSS SUSE Linux Enterprise Server for SAP Applications 15 SP2 SUSE Linux Enterprise Server for SAP Applications 15 SP3 SUSE Linux Enterprise Server for SAP Applications 15 SP4 SUSE Manager Proxy 4.3 SUSE Manager Server 4.3 SUSE Manager Server Module 4.3 openSUSE Leap 15.5 openSUSE Leap 15.6 bea-stax-1.2.0-150200.11.3.1 bea-stax-api-1.2.0-150200.11.3.1 xstream-1.4.21-150200.3.28.1 bea-stax-javadoc-1.2.0-150200.11.3.1 xstream-benchmark-1.4.21-150200.3.28.1 xstream-javadoc-1.4.21-150200.3.28.1 xstream-parent-1.4.21-150200.3.28.1 bea-stax-1.2.0-150200.11.3.1 as a component of Container bci/kiwi:latest bea-stax-api-1.2.0-150200.11.3.1 as a component of Container bci/kiwi:latest xstream-1.4.21-150200.3.28.1 as a component of Container suse/manager/5.0/x86_64/server:latest xstream-1.4.21-150200.3.28.1 as a component of Image SLES15-SP4-Manager-Server-4-3 xstream-1.4.21-150200.3.28.1 as a component of Image SLES15-SP4-Manager-Server-4-3-Azure-llc xstream-1.4.21-150200.3.28.1 as a component of Image SLES15-SP4-Manager-Server-4-3-Azure-ltd xstream-1.4.21-150200.3.28.1 as a component of Image SLES15-SP4-Manager-Server-4-3-BYOS xstream-1.4.21-150200.3.28.1 as a component of Image SLES15-SP4-Manager-Server-4-3-BYOS-Azure xstream-1.4.21-150200.3.28.1 as a component of Image SLES15-SP4-Manager-Server-4-3-BYOS-EC2 xstream-1.4.21-150200.3.28.1 as a component of Image SLES15-SP4-Manager-Server-4-3-BYOS-GCE xstream-1.4.21-150200.3.28.1 as a component of Image server-image bea-stax-1.2.0-150200.11.3.1 as a component of SUSE Enterprise Storage 7.1 bea-stax-api-1.2.0-150200.11.3.1 as a component of SUSE Enterprise Storage 7.1 xstream-1.4.21-150200.3.28.1 as a component of SUSE Enterprise Storage 7.1 bea-stax-1.2.0-150200.11.3.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS bea-stax-api-1.2.0-150200.11.3.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS xstream-1.4.21-150200.3.28.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS bea-stax-1.2.0-150200.11.3.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS bea-stax-api-1.2.0-150200.11.3.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS xstream-1.4.21-150200.3.28.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS bea-stax-1.2.0-150200.11.3.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS bea-stax-api-1.2.0-150200.11.3.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS xstream-1.4.21-150200.3.28.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS bea-stax-1.2.0-150200.11.3.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS bea-stax-api-1.2.0-150200.11.3.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS xstream-1.4.21-150200.3.28.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS bea-stax-1.2.0-150200.11.3.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP5 bea-stax-api-1.2.0-150200.11.3.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP5 bea-stax-1.2.0-150200.11.3.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP6 bea-stax-api-1.2.0-150200.11.3.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP6 xstream-1.4.21-150200.3.28.1 as a component of SUSE Linux Enterprise Module for Development Tools 15 SP5 xstream-1.4.21-150200.3.28.1 as a component of SUSE Linux Enterprise Module for Development Tools 15 SP6 bea-stax-1.2.0-150200.11.3.1 as a component of SUSE Linux Enterprise Server 15 SP2-LTSS bea-stax-api-1.2.0-150200.11.3.1 as a component of SUSE Linux Enterprise Server 15 SP2-LTSS xstream-1.4.21-150200.3.28.1 as a component of SUSE Linux Enterprise Server 15 SP2-LTSS bea-stax-1.2.0-150200.11.3.1 as a component of SUSE Linux Enterprise Server 15 SP3-LTSS bea-stax-api-1.2.0-150200.11.3.1 as a component of SUSE Linux Enterprise Server 15 SP3-LTSS xstream-1.4.21-150200.3.28.1 as a component of SUSE Linux Enterprise Server 15 SP3-LTSS bea-stax-1.2.0-150200.11.3.1 as a component of SUSE Linux Enterprise Server 15 SP4-LTSS bea-stax-api-1.2.0-150200.11.3.1 as a component of SUSE Linux Enterprise Server 15 SP4-LTSS xstream-1.4.21-150200.3.28.1 as a component of SUSE Linux Enterprise Server 15 SP4-LTSS bea-stax-1.2.0-150200.11.3.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP2 bea-stax-api-1.2.0-150200.11.3.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP2 xstream-1.4.21-150200.3.28.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP2 bea-stax-1.2.0-150200.11.3.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP3 bea-stax-api-1.2.0-150200.11.3.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP3 xstream-1.4.21-150200.3.28.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP3 bea-stax-1.2.0-150200.11.3.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP4 bea-stax-api-1.2.0-150200.11.3.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP4 xstream-1.4.21-150200.3.28.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP4 bea-stax-1.2.0-150200.11.3.1 as a component of SUSE Manager Proxy 4.3 bea-stax-api-1.2.0-150200.11.3.1 as a component of SUSE Manager Proxy 4.3 bea-stax-1.2.0-150200.11.3.1 as a component of SUSE Manager Server 4.3 bea-stax-api-1.2.0-150200.11.3.1 as a component of SUSE Manager Server 4.3 xstream-1.4.21-150200.3.28.1 as a component of SUSE Manager Server Module 4.3 bea-stax-1.2.0-150200.11.3.1 as a component of openSUSE Leap 15.5 bea-stax-api-1.2.0-150200.11.3.1 as a component of openSUSE Leap 15.5 xstream-1.4.21-150200.3.28.1 as a component of openSUSE Leap 15.5 xstream-benchmark-1.4.21-150200.3.28.1 as a component of openSUSE Leap 15.5 xstream-javadoc-1.4.21-150200.3.28.1 as a component of openSUSE Leap 15.5 xstream-parent-1.4.21-150200.3.28.1 as a component of openSUSE Leap 15.5 bea-stax-1.2.0-150200.11.3.1 as a component of openSUSE Leap 15.6 bea-stax-api-1.2.0-150200.11.3.1 as a component of openSUSE Leap 15.6 xstream-1.4.21-150200.3.28.1 as a component of openSUSE Leap 15.6 xstream-benchmark-1.4.21-150200.3.28.1 as a component of openSUSE Leap 15.6 xstream-javadoc-1.4.21-150200.3.28.1 as a component of openSUSE Leap 15.6 xstream-parent-1.4.21-150200.3.28.1 as a component of openSUSE Leap 15.6 XStream is a simple library to serialize objects to XML and back again. This vulnerability may allow a remote attacker to terminate the application with a stack overflow error resulting in a denial of service only by manipulating the processed input stream when XStream is configured to use the BinaryStreamDriver. XStream 1.4.21 has been patched to detect the manipulation in the binary input stream causing the the stack overflow and raises an InputManipulationException instead. Users are advised to upgrade. Users unable to upgrade may catch the StackOverflowError in the client code calling XStream if XStream is configured to use the BinaryStreamDriver. CVE-2024-47072 Container bci/kiwi:latest:bea-stax-1.2.0-150200.11.3.1 Container bci/kiwi:latest:bea-stax-api-1.2.0-150200.11.3.1 Container suse/manager/5.0/x86_64/server:latest:xstream-1.4.21-150200.3.28.1 Image SLES15-SP4-Manager-Server-4-3-Azure-llc:xstream-1.4.21-150200.3.28.1 Image SLES15-SP4-Manager-Server-4-3-Azure-ltd:xstream-1.4.21-150200.3.28.1 Image SLES15-SP4-Manager-Server-4-3-BYOS-Azure:xstream-1.4.21-150200.3.28.1 Image SLES15-SP4-Manager-Server-4-3-BYOS-EC2:xstream-1.4.21-150200.3.28.1 Image SLES15-SP4-Manager-Server-4-3-BYOS-GCE:xstream-1.4.21-150200.3.28.1 Image SLES15-SP4-Manager-Server-4-3-BYOS:xstream-1.4.21-150200.3.28.1 Image SLES15-SP4-Manager-Server-4-3:xstream-1.4.21-150200.3.28.1 Image server-image:xstream-1.4.21-150200.3.28.1 SUSE Enterprise Storage 7.1:bea-stax-1.2.0-150200.11.3.1 SUSE Enterprise Storage 7.1:bea-stax-api-1.2.0-150200.11.3.1 SUSE Enterprise Storage 7.1:xstream-1.4.21-150200.3.28.1 SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:bea-stax-1.2.0-150200.11.3.1 SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:bea-stax-api-1.2.0-150200.11.3.1 SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:xstream-1.4.21-150200.3.28.1 SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:bea-stax-1.2.0-150200.11.3.1 SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:bea-stax-api-1.2.0-150200.11.3.1 SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:xstream-1.4.21-150200.3.28.1 SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:bea-stax-1.2.0-150200.11.3.1 SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:bea-stax-api-1.2.0-150200.11.3.1 SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:xstream-1.4.21-150200.3.28.1 SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:bea-stax-1.2.0-150200.11.3.1 SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:bea-stax-api-1.2.0-150200.11.3.1 SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:xstream-1.4.21-150200.3.28.1 SUSE Linux Enterprise Module for Basesystem 15 SP5:bea-stax-1.2.0-150200.11.3.1 SUSE Linux Enterprise Module for Basesystem 15 SP5:bea-stax-api-1.2.0-150200.11.3.1 SUSE Linux Enterprise Module for Basesystem 15 SP6:bea-stax-1.2.0-150200.11.3.1 SUSE Linux Enterprise Module for Basesystem 15 SP6:bea-stax-api-1.2.0-150200.11.3.1 SUSE Linux Enterprise Module for Development Tools 15 SP5:xstream-1.4.21-150200.3.28.1 SUSE Linux Enterprise Module for Development Tools 15 SP6:xstream-1.4.21-150200.3.28.1 SUSE Linux Enterprise Server 15 SP2-LTSS:bea-stax-1.2.0-150200.11.3.1 SUSE Linux Enterprise Server 15 SP2-LTSS:bea-stax-api-1.2.0-150200.11.3.1 SUSE Linux Enterprise Server 15 SP2-LTSS:xstream-1.4.21-150200.3.28.1 SUSE Linux Enterprise Server 15 SP3-LTSS:bea-stax-1.2.0-150200.11.3.1 SUSE Linux Enterprise Server 15 SP3-LTSS:bea-stax-api-1.2.0-150200.11.3.1 SUSE Linux Enterprise Server 15 SP3-LTSS:xstream-1.4.21-150200.3.28.1 SUSE Linux Enterprise Server 15 SP4-LTSS:bea-stax-1.2.0-150200.11.3.1 SUSE Linux Enterprise Server 15 SP4-LTSS:bea-stax-api-1.2.0-150200.11.3.1 SUSE Linux Enterprise Server 15 SP4-LTSS:xstream-1.4.21-150200.3.28.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2:bea-stax-1.2.0-150200.11.3.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2:bea-stax-api-1.2.0-150200.11.3.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2:xstream-1.4.21-150200.3.28.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3:bea-stax-1.2.0-150200.11.3.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3:bea-stax-api-1.2.0-150200.11.3.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3:xstream-1.4.21-150200.3.28.1 SUSE Linux Enterprise Server for SAP Applications 15 SP4:bea-stax-1.2.0-150200.11.3.1 SUSE Linux Enterprise Server for SAP Applications 15 SP4:bea-stax-api-1.2.0-150200.11.3.1 SUSE Linux Enterprise Server for SAP Applications 15 SP4:xstream-1.4.21-150200.3.28.1 SUSE Manager Proxy 4.3:bea-stax-1.2.0-150200.11.3.1 SUSE Manager Proxy 4.3:bea-stax-api-1.2.0-150200.11.3.1 SUSE Manager Server 4.3:bea-stax-1.2.0-150200.11.3.1 SUSE Manager Server 4.3:bea-stax-api-1.2.0-150200.11.3.1 SUSE Manager Server Module 4.3:xstream-1.4.21-150200.3.28.1 openSUSE Leap 15.5:bea-stax-1.2.0-150200.11.3.1 openSUSE Leap 15.5:bea-stax-api-1.2.0-150200.11.3.1 openSUSE Leap 15.5:xstream-1.4.21-150200.3.28.1 openSUSE Leap 15.5:xstream-benchmark-1.4.21-150200.3.28.1 openSUSE Leap 15.5:xstream-javadoc-1.4.21-150200.3.28.1 openSUSE Leap 15.5:xstream-parent-1.4.21-150200.3.28.1 openSUSE Leap 15.6:bea-stax-1.2.0-150200.11.3.1 openSUSE Leap 15.6:bea-stax-api-1.2.0-150200.11.3.1 openSUSE Leap 15.6:xstream-1.4.21-150200.3.28.1 openSUSE Leap 15.6:xstream-benchmark-1.4.21-150200.3.28.1 openSUSE Leap 15.6:xstream-javadoc-1.4.21-150200.3.28.1 openSUSE Leap 15.6:xstream-parent-1.4.21-150200.3.28.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20244037-1/ https://www.suse.com/security/cve/CVE-2024-47072.html CVE-2024-47072 https://bugzilla.suse.com/1233085 SUSE Bug 1233085