CVE-2021-39144
HIGH CISA KEV
Published Aug 23, 20214y ago · Modified Jun 17, 20262w ago
8.5 CVSS 3.1
Published Aug 23, 2021 4y ago
Last Modified Jun 17, 2026 2w ago
KEV Listed Mar 10, 2023 3y ago
KEV Due Mar 31, 2023 1189d overdue
Description
XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.
CVSS Details
Base Score
Exploitability
Impact
Vector string
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H Attack Vector Network
Attack Complexity High
Privileges Required Low
User Interaction None
Scope Changed
Confidentiality High
Integrity High
Availability High
Threat Intelligence
CISA Known Exploited Overdue 1189d
- Added
- Mar 10, 2023
- Due
- Mar 31, 2023
Apply updates per vendor instructions.
Exploit & Patch Status
Actively Exploited (KEV)
Patch Available
Weaknesses 3
CWE-306 Missing Authentication for Critical Function Authentication
CWE-502 Deserialization of Untrusted Data Validation
CWE-94 Improper Control of Generation of Code (Code Injection) Injection
Affected Products 36
| Vendor | Product | Version | Range |
|---|---|---|---|
| xstream | xstream | * | <1.4.18 |
| debian | debian_linux | 9.0 | any |
| debian | debian_linux | 10.0 | any |
| debian | debian_linux | 11.0 | any |
| fedoraproject | fedora | 33 | any |
| fedoraproject | fedora | 34 | any |
| fedoraproject | fedora | 35 | any |
| netapp | snapmanager | * | any |
| netapp | snapmanager | * | any |
| oracle | business_activity_monitoring | 12.2.1.4.0 | any |
| oracle | commerce_guided_search | 11.3.2 | any |
| oracle | communications_billing_and_revenue_management_elastic_charging_engine | 11.3 | any |
| oracle | communications_billing_and_revenue_management_elastic_charging_engine | 12.0 | any |
| oracle | communications_cloud_native_core_automated_test_suite | 1.9.0 | any |
| oracle | communications_cloud_native_core_binding_support_function | 1.10.0 | any |
| oracle | communications_cloud_native_core_policy | 1.14.0 | any |
| oracle | communications_unified_inventory_management | 7.3.4 | any |
| oracle | communications_unified_inventory_management | 7.3.5 | any |
| oracle | communications_unified_inventory_management | 7.4.0 | any |
| oracle | communications_unified_inventory_management | 7.4.1 | any |
| oracle | communications_unified_inventory_management | 7.4.2 | any |
| oracle | retail_xstore_point_of_service | 16.0.6 | any |
| oracle | retail_xstore_point_of_service | 17.0.4 | any |
| oracle | retail_xstore_point_of_service | 18.0.3 | any |
| oracle | retail_xstore_point_of_service | 19.0.2 | any |
| oracle | retail_xstore_point_of_service | 20.0.1 | any |
| oracle | utilities_framework | 4.2.0.2.0 | any |
| oracle | utilities_framework | 4.2.0.3.0 | any |
| oracle | utilities_framework | 4.3.0.1.0 | any |
| oracle | utilities_framework | 4.3.0.6.0 | any |
| oracle | utilities_framework | 4.4.0.0.0 | any |
| oracle | utilities_framework | 4.4.0.2.0 | any |
| oracle | utilities_framework | 4.4.0.3.0 | any |
| oracle | utilities_testing_accelerator | 6.0.0.1.1 | any |
| oracle | webcenter_portal | 12.2.1.3.0 | any |
| oracle | webcenter_portal | 12.2.1.4.0 | any |
References 13
- packetstormsecurity.com http://packetstormsecurity.com/files/169859/VMware-NSX-Manager-XStream-Unauthenticated-Remote-Code-Execution.html
- github.com https://github.com/x-stream/xstream/security/advisories/GHSA-j9h8-phrw-h4fh
- lists.debian.org https://lists.debian.org/debian-lts-announce/2021/09/msg00017.html
- lists.fedoraproject.org https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/
- lists.fedoraproject.org https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/
- lists.fedoraproject.org https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/
- security.netapp.com https://security.netapp.com/advisory/ntap-20210923-0003/
- cisa.gov https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-39144
- debian.org https://www.debian.org/security/2021/dsa-5004
- oracle.com https://www.oracle.com/security-alerts/cpuapr2022.html
- oracle.com https://www.oracle.com/security-alerts/cpujan2022.html
- oracle.com https://www.oracle.com/security-alerts/cpujul2022.html
- x-stream.github.io https://x-stream.github.io/CVE-2021-39144.html
Remediation
- oracle.com https://www.oracle.com/security-alerts/cpuapr2022.html
- oracle.com https://www.oracle.com/security-alerts/cpujan2022.html
- oracle.com https://www.oracle.com/security-alerts/cpujul2022.html