CVE-2021-39139

HIGH
Published Aug 23, 20214y ago · Modified Jun 17, 20262w ago
8.8 CVSS 3.1
High
Find Similar
Published Aug 23, 2021 4y ago
Last Modified Jun 17, 2026 2w ago

Description

XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. A user is only affected if using the version out of the box with JDK 1.7u21 or below. However, this scenario can be adjusted easily to an external Xalan that works regardless of the version of the Java runtime. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.

CVSS Details

Base Score
8.8
Exploitability
2.8
Impact
5.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector Network
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability High

Threat Intelligence

No active exploitation signals — not in CISA KEV and no EPSS score yet.

Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 2

CWE-434 Unrestricted Upload of File with Dangerous Type Resource Mgmt
CWE-502 Deserialization of Untrusted Data Validation

Affected Products 36

VendorProductVersionRange
xstreamxstream* <1.4.18
debiandebian_linux9.0any
debiandebian_linux10.0any
debiandebian_linux11.0any
fedoraprojectfedora33any
fedoraprojectfedora34any
fedoraprojectfedora35any
netappsnapmanager*any
netappsnapmanager*any
oraclebusiness_activity_monitoring12.2.1.4.0any
oraclecommerce_guided_search11.3.2any
oraclecommunications_billing_and_revenue_management_elastic_charging_engine11.3any
oraclecommunications_billing_and_revenue_management_elastic_charging_engine12.0any
oraclecommunications_cloud_native_core_automated_test_suite1.9.0any
oraclecommunications_cloud_native_core_binding_support_function1.10.0any
oraclecommunications_cloud_native_core_policy1.14.0any
oraclecommunications_unified_inventory_management7.3.4any
oraclecommunications_unified_inventory_management7.3.5any
oraclecommunications_unified_inventory_management7.4.0any
oraclecommunications_unified_inventory_management7.4.1any
oraclecommunications_unified_inventory_management7.4.2any
oracleretail_xstore_point_of_service16.0.6any
oracleretail_xstore_point_of_service17.0.4any
oracleretail_xstore_point_of_service18.0.3any
oracleretail_xstore_point_of_service19.0.2any
oracleretail_xstore_point_of_service20.0.1any
oracleutilities_framework4.2.0.2.0any
oracleutilities_framework4.2.0.3.0any
oracleutilities_framework4.3.0.1.0any
oracleutilities_framework4.3.0.6.0any
oracleutilities_framework4.4.0.0.0any
oracleutilities_framework4.4.0.2.0any
oracleutilities_framework4.4.0.3.0any
oracleutilities_testing_accelerator6.0.0.1.1any
oraclewebcenter_portal12.2.1.3.0any
oraclewebcenter_portal12.2.1.4.0any

References 11

  • github.com https://github.com/x-stream/xstream/security/advisories/GHSA-64xx-cq4q-mf44
    Third Party Advisory
  • lists.debian.org https://lists.debian.org/debian-lts-announce/2021/09/msg00017.html
    Mailing ListThird Party Advisory
  • lists.fedoraproject.org https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/
    Mailing List
  • lists.fedoraproject.org https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/
    Mailing List
  • lists.fedoraproject.org https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/
    Mailing List
  • security.netapp.com https://security.netapp.com/advisory/ntap-20210923-0003/
    Third Party Advisory
  • debian.org https://www.debian.org/security/2021/dsa-5004
    Third Party Advisory
  • oracle.com https://www.oracle.com/security-alerts/cpuapr2022.html
    PatchThird Party Advisory
  • oracle.com https://www.oracle.com/security-alerts/cpujan2022.html
    PatchThird Party Advisory
  • oracle.com https://www.oracle.com/security-alerts/cpujul2022.html
    PatchThird Party Advisory
  • x-stream.github.io https://x-stream.github.io/CVE-2021-39139.html
    Vendor Advisory

Remediation

  • oracle.com https://www.oracle.com/security-alerts/cpuapr2022.html
    PatchThird Party Advisory
  • oracle.com https://www.oracle.com/security-alerts/cpujan2022.html
    PatchThird Party Advisory
  • oracle.com https://www.oracle.com/security-alerts/cpujul2022.html
    PatchThird Party Advisory