CVE-2019-10173 — CRITICAL (9.8)

Q: How severe is CVE-2019-10173?

CVE-2019-10173 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Q: Is there a patch for CVE-2019-10173?

Check the references section above for vendor advisories and patch information. Affected products include: Xstream Xstream, Oracle Banking Platform, Oracle Business Activity Monitoring, Oracle Communications Billing And Revenue Management Elastic Charging Engine, Oracle Communications Diameter Signaling Router.

Vulnerability Description

It was found that xstream API version 1.4.10 before 1.4.11 introduced a regression for a previous deserialization flaw. If the security framework has not been initialized, it may allow a remote attacker to run arbitrary shell commands when unmarshalling XML or any supported format. e.g. JSON. (regression of CVE-2013-7285)

CVSS Score

9.8

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Xstream	Xstream	1.4.10
Oracle	Banking Platform	>= 2.4.0, <= 2.10.0
Oracle	Business Activity Monitoring	11.1.1.9.0
Oracle	Communications Billing And Revenue Management Elastic Charging Engine	11.3.0.9.0
Oracle	Communications Diameter Signaling Router	>= 8.0.0, <= 8.2.2
Oracle	Communications Unified Inventory Management	7.3.0
Oracle	Endeca Information Discovery Studio	3.2.0
Oracle	Retail Xstore Point Of Service	17.0
Oracle	Utilities Framework	>= 4.3.0.1.0, <= 4.3.0.6.0
Oracle	Webcenter Portal	11.1.1.9.0

Related Weaknesses (CWE)

CWE-94 CWE-502

References

http://x-stream.github.io/changes.html#1.4.11Release NotesThird Party Advisory
https://access.redhat.com/errata/RHSA-2019:3892Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:4352Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0445Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0727Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10173Issue TrackingThird Party Advisory
https://www.oracle.com//security-alerts/cpujul2021.htmlPatchThird Party Advisory
https://www.oracle.com/security-alerts/cpuApr2021.htmlPatchThird Party Advisory
https://www.oracle.com/security-alerts/cpuapr2020.htmlThird Party Advisory
https://www.oracle.com/security-alerts/cpujan2021.htmlThird Party Advisory
https://www.oracle.com/security-alerts/cpuoct2020.htmlThird Party Advisory
http://x-stream.github.io/changes.html#1.4.11Release NotesThird Party Advisory
https://access.redhat.com/errata/RHSA-2019:3892Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:4352Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0445Third Party Advisory

FAQ

What is CVE-2019-10173?

CVE-2019-10173 is a vulnerability with a CVSS score of 9.8 (CRITICAL). It was found that xstream API version 1.4.10 before 1.4.11 introduced a regression for a previous deserialization flaw. If the security framework has not been initialized, it may allow a remote attack...

How severe is CVE-2019-10173?

CVE-2019-10173 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2019-10173?

Check the references section above for vendor advisories and patch information. Affected products include: Xstream Xstream, Oracle Banking Platform, Oracle Business Activity Monitoring, Oracle Communications Billing And Revenue Management Elastic Charging Engine, Oracle Communications Diameter Signaling Router.