CVE-2021-21342
Summary
| CVE | CVE-2021-21342 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2021-03-23 00:15:00 UTC |
| Updated | 2023-11-07 03:29:00 UTC |
| Description | XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability where the processed stream at unmarshalling time contains type information to recreate the formerly written objects. XStream creates therefore new instances based on these type information. An attacker can manipulate the processed input stream and replace or inject objects, that result in a server-side forgery request. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16. |
Risk And Classification
Problem Types: CWE-918 | CWE-502
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Operating System | Debian | Debian Linux | 10.0 | All | All | All |
| Operating System | Debian | Debian Linux | 11.0 | All | All | All |
| Operating System | Debian | Debian Linux | 9.0 | All | All | All |
| Operating System | Fedoraproject | Fedora | 33 | All | All | All |
| Operating System | Fedoraproject | Fedora | 34 | All | All | All |
| Operating System | Fedoraproject | Fedora | 35 | All | All | All |
| Application | Oracle | Banking Enterprise Default Management | 2.10.0 | All | All | All |
| Application | Oracle | Banking Enterprise Default Management | 2.12.0 | All | All | All |
| Application | Oracle | Banking Platform | 2.12.0 | All | All | All |
| Application | Oracle | Banking Platform | 2.4.0 | All | All | All |
| Application | Oracle | Banking Platform | 2.7.1 | All | All | All |
| Application | Oracle | Banking Platform | 2.9.0 | All | All | All |
| Application | Oracle | Banking Virtual Account Management | 14.2.0 | All | All | All |
| Application | Oracle | Banking Virtual Account Management | 14.3.0 | All | All | All |
| Application | Oracle | Banking Virtual Account Management | 14.5.0 | All | All | All |
| Application | Oracle | Business Activity Monitoring | 11.1.1.9.0 | All | All | All |
| Application | Oracle | Business Activity Monitoring | 12.2.1.3.0 | All | All | All |
| Application | Oracle | Business Activity Monitoring | 12.2.1.4.0 | All | All | All |
| Application | Oracle | Communications Brm - Elastic Charging Engine | 12.0.0.3 | All | All | All |
| Application | Oracle | Communications Policy Management | 12.5.0 | All | All | All |
| Application | Oracle | Communications Unified Inventory Management | 7.3.2 | All | All | All |
| Application | Oracle | Communications Unified Inventory Management | 7.3.4 | All | All | All |
| Application | Oracle | Communications Unified Inventory Management | 7.3.5 | All | All | All |
| Application | Oracle | Communications Unified Inventory Management | 7.4.0 | All | All | All |
| Application | Oracle | Communications Unified Inventory Management | 7.4.1 | All | All | All |
| Application | Oracle | Mysql Server | All | All | All | All |
| Application | Oracle | Retail Xstore Point Of Service | 16.0.6 | All | All | All |
| Application | Oracle | Retail Xstore Point Of Service | 17.0.4 | All | All | All |
| Application | Oracle | Retail Xstore Point Of Service | 18.0.3 | All | All | All |
| Application | Oracle | Retail Xstore Point Of Service | 19.0.2 | All | All | All |
| Application | Oracle | Webcenter Portal | 11.1.1.9.0 | All | All | All |
| Application | Oracle | Webcenter Portal | 12.2.1.3.0 | All | All | All |
| Application | Oracle | Webcenter Portal | 12.2.1.4.0 | All | All | All |
| Application | Xstream Project | Xstream | All | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| [SECURITY] Fedora 34 Update: xstream-1.4.18-2.fc34 - package-announce - Fedora Mailing-Lists | FEDORA | lists.fedoraproject.org | |
| XStream - Change History | MISC | x-stream.github.io | |
| [SECURITY] Fedora 33 Update: xstream-1.4.18-2.fc33 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org | ||
| March 2021 XStream Vulnerabilities in NetApp Products | NetApp Product Security | CONFIRM | security.netapp.com | |
| Oracle Critical Patch Update Advisory - July 2021 | N/A | www.oracle.com | |
| [jmeter-dev] 20210406 [GitHub] [jmeter] sseide opened a new pull request #655: update x-stream to 1.4.16 (from 1.4.15) | MLIST | lists.apache.org | |
| Oracle Critical Patch Update Advisory - October 2021 | MISC | www.oracle.com | |
| Oracle Critical Patch Update Advisory - January 2022 | MISC | www.oracle.com | |
| Debian -- Security Information -- DSA-5004-1 libxstream-java | DEBIAN | www.debian.org | |
| [SECURITY] Fedora 34 Update: xstream-1.4.18-2.fc34 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org | ||
| XStream - Security Aspects | MISC | x-stream.github.io | |
| XStream - CVE-2021-21342 | MISC | x-stream.github.io | |
| [SECURITY] Fedora 35 Update: xstream-1.4.18-2.fc35 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org | ||
| A Server-Side Forgery Request can be activated unmarshalling with XStream to access data streams from an arbitrary URL referencing a resource in an intranet or the local host · Advisory · x-stream/xstream · GitHub | CONFIRM | github.com | |
| [activemq-users] 20210427 Release date for ActiveMQ v5.16.2 to fix CVEs | lists.apache.org | ||
| [SECURITY] Fedora 33 Update: xstream-1.4.18-2.fc33 - package-announce - Fedora Mailing-Lists | FEDORA | lists.fedoraproject.org | |
| Pony Mail! | MLIST | lists.apache.org | |
| [SECURITY] Fedora 35 Update: xstream-1.4.18-2.fc35 - package-announce - Fedora Mailing-Lists | FEDORA | lists.fedoraproject.org | |
| [jmeter-dev] 20210406 [GitHub] [jmeter] sseide opened a new pull request #655: update x-stream to 1.4.16 (from 1.4.15) | lists.apache.org | ||
| [SECURITY] [DLA 2616-1] libxstream-java security update | MLIST | lists.debian.org | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 178511 Debian Security Update for libxstream-java (DLA 2616-1)
- 178889 Debian Security Update for libxstream-java (DSA 5004-1)
- 178890 Debian Security Update for libxstream-java (DSA 5004-1)
- 180223 Debian Security Update for libxstream-java (CVE-2021-21342)
- 198361 Ubuntu Security Notification for XStream vulnerabilities (USN-4943-1)
- 281980 Fedora Security Update for xstream (FEDORA-2021-d894ca87dc)
- 281981 Fedora Security Update for xstream (FEDORA-2021-fbad11014a)
- 354921 Amazon Linux Security Advisory for xstream : ALAS2-2023-2030
- 375827 XStream Arbitrary Code Execution And Multiple vulnerabilities
- 730155 McAfee Web Gateway Multiple Vulnerabilities(WP-3580, WP-3656, WP-3815, WP-3878, WP-3882, WP-3934,WP-3935, WP-3936, WP-3999)
- 750094 SUSE Enterprise Linux Security Update for xstream (SUSE-SU-2021:1840-1)
- 750177 OpenSUSE Security Update for xstream (openSUSE-SU-2021:0832-1)
- 750773 OpenSUSE Security Update for xstream (openSUSE-SU-2021:1840-1)
- 980129 Java (maven) Security Update for com.thoughtworks.xstream:xstream (GHSA-hvv8-336g-rx3m)