New vulnerability with CVSS score 8.8:
XStream, when in its default configuration or operating without a sufficient blacklist / whitelist configuration, is vulnerable to an arbitrary code execution issue. This is due to how XStream can potentially create new instances of dangerous objects that are not blocked based on the contents of the input stream. The potentially dangerous type in this case is sun.jndi.toolkit.dir.LazySearchEnumerationImpl.
An attacker could supply a crafted input to XStream in order execute arbitrary code stored on a remote host.
From BDSA record:
Fixed in 1.4.17 by this commit.
Release : 10.7.0
Component : Introscope
Defect # DE505488
To be fixed in 10.7 SP4
Details of the vulnerability:
The fix for this is to upgrade it to the 1.4.17 version.
Recommended upgrade: https://mvnrepository.com/artifact/com.thoughtworks.xstream/xstream/1.4.17