CVE-2021-21346
Summary
| CVE | CVE-2021-21346 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2021-03-23 00:15:00 UTC |
| Updated | 2023-11-07 03:29:00 UTC |
| Description | XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16. |
Risk And Classification
Problem Types: CWE-502 | CWE-434
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Operating System | Debian | Debian Linux | 10.0 | All | All | All |
| Operating System | Debian | Debian Linux | 11.0 | All | All | All |
| Operating System | Debian | Debian Linux | 9.0 | All | All | All |
| Operating System | Fedoraproject | Fedora | 33 | All | All | All |
| Operating System | Fedoraproject | Fedora | 34 | All | All | All |
| Operating System | Fedoraproject | Fedora | 35 | All | All | All |
| Application | Oracle | Banking Enterprise Default Management | 2.10.0 | All | All | All |
| Application | Oracle | Banking Enterprise Default Management | 2.12.0 | All | All | All |
| Application | Oracle | Banking Platform | 2.12.0 | All | All | All |
| Application | Oracle | Banking Platform | 2.4.0 | All | All | All |
| Application | Oracle | Banking Platform | 2.7.1 | All | All | All |
| Application | Oracle | Banking Platform | 2.9.0 | All | All | All |
| Application | Oracle | Banking Virtual Account Management | 14.2.0 | All | All | All |
| Application | Oracle | Banking Virtual Account Management | 14.3.0 | All | All | All |
| Application | Oracle | Banking Virtual Account Management | 14.5.0 | All | All | All |
| Application | Oracle | Bi Publisher | 12.2.1.3.0 | All | All | All |
| Application | Oracle | Bi Publisher | 12.2.1.4.0 | All | All | All |
| Application | Oracle | Bi Publisher | 5.5.0.0.0 | All | All | All |
| Application | Oracle | Business Activity Monitoring | 11.1.1.9.0 | All | All | All |
| Application | Oracle | Business Activity Monitoring | 12.2.1.3.0 | All | All | All |
| Application | Oracle | Business Activity Monitoring | 12.2.1.4.0 | All | All | All |
| Application | Oracle | Communications Billing And Revenue Management Elastic Charging Engine | 12.0.0.3.0 | All | All | All |
| Application | Oracle | Communications Policy Management | 12.5.0 | All | All | All |
| Application | Oracle | Communications Unified Inventory Management | 7.3.2 | All | All | All |
| Application | Oracle | Communications Unified Inventory Management | 7.3.4 | All | All | All |
| Application | Oracle | Communications Unified Inventory Management | 7.3.5 | All | All | All |
| Application | Oracle | Communications Unified Inventory Management | 7.4.0 | All | All | All |
| Application | Oracle | Communications Unified Inventory Management | 7.4.1 | All | All | All |
| Application | Oracle | Retail Xstore Point Of Service | 16.0.6 | All | All | All |
| Application | Oracle | Retail Xstore Point Of Service | 17.0.4 | All | All | All |
| Application | Oracle | Retail Xstore Point Of Service | 18.0.3 | All | All | All |
| Application | Oracle | Retail Xstore Point Of Service | 19.0.2 | All | All | All |
| Application | Oracle | Webcenter Portal | 11.1.1.9.0 | All | All | All |
| Application | Oracle | Webcenter Portal | 12.2.1.3.0 | All | All | All |
| Application | Oracle | Webcenter Portal | 12.2.1.4.0 | All | All | All |
| Application | Xstream Project | Xstream | All | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| [SECURITY] Fedora 34 Update: xstream-1.4.18-2.fc34 - package-announce - Fedora Mailing-Lists | FEDORA | lists.fedoraproject.org | |
| XStream - Change History | MISC | x-stream.github.io | |
| [SECURITY] Fedora 33 Update: xstream-1.4.18-2.fc33 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org | ||
| March 2021 XStream Vulnerabilities in NetApp Products | NetApp Product Security | CONFIRM | security.netapp.com | |
| Oracle Critical Patch Update Advisory - July 2021 | N/A | www.oracle.com | |
| [jmeter-dev] 20210406 [GitHub] [jmeter] sseide opened a new pull request #655: update x-stream to 1.4.16 (from 1.4.15) | MLIST | lists.apache.org | |
| Oracle Critical Patch Update Advisory - October 2021 | MISC | www.oracle.com | |
| Oracle Critical Patch Update Advisory - January 2022 | MISC | www.oracle.com | |
| XStream - CVE-2021-21346 | MISC | x-stream.github.io | |
| Debian -- Security Information -- DSA-5004-1 libxstream-java | DEBIAN | www.debian.org | |
| XStream is vulnerable to an Arbitrary Code Execution attack · Advisory · x-stream/xstream · GitHub | CONFIRM | github.com | |
| [SECURITY] Fedora 34 Update: xstream-1.4.18-2.fc34 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org | ||
| XStream - Security Aspects | MISC | x-stream.github.io | |
| [SECURITY] Fedora 35 Update: xstream-1.4.18-2.fc35 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org | ||
| [activemq-users] 20210427 Release date for ActiveMQ v5.16.2 to fix CVEs | lists.apache.org | ||
| [SECURITY] Fedora 33 Update: xstream-1.4.18-2.fc33 - package-announce - Fedora Mailing-Lists | FEDORA | lists.fedoraproject.org | |
| Pony Mail! | MLIST | lists.apache.org | |
| [SECURITY] Fedora 35 Update: xstream-1.4.18-2.fc35 - package-announce - Fedora Mailing-Lists | FEDORA | lists.fedoraproject.org | |
| [jmeter-dev] 20210406 [GitHub] [jmeter] sseide opened a new pull request #655: update x-stream to 1.4.16 (from 1.4.15) | lists.apache.org | ||
| [SECURITY] [DLA 2616-1] libxstream-java security update | MLIST | lists.debian.org | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 159162 Oracle Enterprise Linux Security Update for xstream (ELSA-2021-1354)
- 178511 Debian Security Update for libxstream-java (DLA 2616-1)
- 178889 Debian Security Update for libxstream-java (DSA 5004-1)
- 178890 Debian Security Update for libxstream-java (DSA 5004-1)
- 179567 Debian Security Update for libxstream-java (CVE-2021-21346)
- 198361 Ubuntu Security Notification for XStream vulnerabilities (USN-4943-1)
- 239260 Red Hat Update for xstream (RHSA-2021:1354)
- 257081 CentOS Security Update for xstream (CESA-2021:1354)
- 281980 Fedora Security Update for xstream (FEDORA-2021-d894ca87dc)
- 281981 Fedora Security Update for xstream (FEDORA-2021-fbad11014a)
- 352367 Amazon Linux Security Advisory for xstream: ALAS2-2021-1645
- 375827 XStream Arbitrary Code Execution And Multiple vulnerabilities
- 377045 Alibaba Cloud Linux Security Update for xstream (ALINUX2-SA-2021:0024)
- 730155 McAfee Web Gateway Multiple Vulnerabilities(WP-3580, WP-3656, WP-3815, WP-3878, WP-3882, WP-3934,WP-3935, WP-3936, WP-3999)
- 750094 SUSE Enterprise Linux Security Update for xstream (SUSE-SU-2021:1840-1)
- 750177 OpenSUSE Security Update for xstream (openSUSE-SU-2021:0832-1)
- 750773 OpenSUSE Security Update for xstream (openSUSE-SU-2021:1840-1)
- 980131 Java (maven) Security Update for com.thoughtworks.xstream:xstream (GHSA-4hrm-m67v-5cxr)