CVE-2021-39144

HIGH CISA KEV
Published Aug 23, 20214y ago · Modified Jun 17, 20262w ago
8.5 CVSS 3.1
High
Find Similar
Published Aug 23, 2021 4y ago
Last Modified Jun 17, 2026 2w ago
KEV Listed Mar 10, 2023 3y ago
KEV Due Mar 31, 2023 1189d overdue

Description

XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.

CVSS Details

Base Score
8.5
Exploitability
1.8
Impact
6.0
Vector string
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector Network
Attack Complexity High
Privileges Required Low
User Interaction None
Scope Changed
Confidentiality High
Integrity High
Availability High

Threat Intelligence

CISA Known Exploited Overdue 1189d
Added
Mar 10, 2023
Due
Mar 31, 2023

Apply updates per vendor instructions.

Exploit & Patch Status
Actively Exploited (KEV)
Patch Available

Weaknesses 3

CWE-306 Missing Authentication for Critical Function Authentication
CWE-502 Deserialization of Untrusted Data Validation
CWE-94 Improper Control of Generation of Code (Code Injection) Injection

Affected Products 36

VendorProductVersionRange
xstreamxstream* <1.4.18
debiandebian_linux9.0any
debiandebian_linux10.0any
debiandebian_linux11.0any
fedoraprojectfedora33any
fedoraprojectfedora34any
fedoraprojectfedora35any
netappsnapmanager*any
netappsnapmanager*any
oraclebusiness_activity_monitoring12.2.1.4.0any
oraclecommerce_guided_search11.3.2any
oraclecommunications_billing_and_revenue_management_elastic_charging_engine11.3any
oraclecommunications_billing_and_revenue_management_elastic_charging_engine12.0any
oraclecommunications_cloud_native_core_automated_test_suite1.9.0any
oraclecommunications_cloud_native_core_binding_support_function1.10.0any
oraclecommunications_cloud_native_core_policy1.14.0any
oraclecommunications_unified_inventory_management7.3.4any
oraclecommunications_unified_inventory_management7.3.5any
oraclecommunications_unified_inventory_management7.4.0any
oraclecommunications_unified_inventory_management7.4.1any
oraclecommunications_unified_inventory_management7.4.2any
oracleretail_xstore_point_of_service16.0.6any
oracleretail_xstore_point_of_service17.0.4any
oracleretail_xstore_point_of_service18.0.3any
oracleretail_xstore_point_of_service19.0.2any
oracleretail_xstore_point_of_service20.0.1any
oracleutilities_framework4.2.0.2.0any
oracleutilities_framework4.2.0.3.0any
oracleutilities_framework4.3.0.1.0any
oracleutilities_framework4.3.0.6.0any
oracleutilities_framework4.4.0.0.0any
oracleutilities_framework4.4.0.2.0any
oracleutilities_framework4.4.0.3.0any
oracleutilities_testing_accelerator6.0.0.1.1any
oraclewebcenter_portal12.2.1.3.0any
oraclewebcenter_portal12.2.1.4.0any

References 13

  • packetstormsecurity.com http://packetstormsecurity.com/files/169859/VMware-NSX-Manager-XStream-Unauthenticated-Remote-Code-Execution.html
    ExploitThird Party AdvisoryVDB Entry
  • github.com https://github.com/x-stream/xstream/security/advisories/GHSA-j9h8-phrw-h4fh
    Vendor Advisory
  • lists.debian.org https://lists.debian.org/debian-lts-announce/2021/09/msg00017.html
    Mailing ListThird Party Advisory
  • lists.fedoraproject.org https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/
    Broken LinkMailing ListRelease Notes
  • lists.fedoraproject.org https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/
    Broken LinkMailing ListRelease Notes
  • lists.fedoraproject.org https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/
    Broken LinkMailing ListRelease Notes
  • security.netapp.com https://security.netapp.com/advisory/ntap-20210923-0003/
    Third Party Advisory
  • cisa.gov https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-39144
    US Government Resource
  • debian.org https://www.debian.org/security/2021/dsa-5004
    Third Party Advisory
  • oracle.com https://www.oracle.com/security-alerts/cpuapr2022.html
    PatchThird Party Advisory
  • oracle.com https://www.oracle.com/security-alerts/cpujan2022.html
    PatchThird Party Advisory
  • oracle.com https://www.oracle.com/security-alerts/cpujul2022.html
    PatchThird Party Advisory
  • x-stream.github.io https://x-stream.github.io/CVE-2021-39144.html
    ExploitVendor Advisory

Remediation

  • oracle.com https://www.oracle.com/security-alerts/cpuapr2022.html
    PatchThird Party Advisory
  • oracle.com https://www.oracle.com/security-alerts/cpujan2022.html
    PatchThird Party Advisory
  • oracle.com https://www.oracle.com/security-alerts/cpujul2022.html
    PatchThird Party Advisory