CVE-2021-39144
Summary
| CVE | CVE-2021-39144 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2021-08-23 18:15:00 UTC |
| Updated | 2023-11-07 03:37:00 UTC |
| Description | XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose. |
Risk And Classification
EPSS: 0.942550000 probability, percentile 0.999330000 (date 2026-04-01)
CISA KEV: Listed on 2023-03-10; due 2023-03-31; ransomware use Unknown
Problem Types: CWE-306 | CWE-502
CISA Known Exploited Vulnerability
| Vendor | XStream |
|---|---|
| Product | XStream |
| Name | XStream Remote Code Execution Vulnerability |
| Required Action | Apply updates per vendor instructions. |
| Notes | https://www.vmware.com/security/advisories/VMSA-2022-0027.html, https://x-stream.github.io/CVE-2021-39144.html; https://nvd.nist.gov/vuln/detail/CVE-2021-39144 |
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Operating System | Debian | Debian Linux | 10.0 | All | All | All |
| Operating System | Debian | Debian Linux | 11.0 | All | All | All |
| Operating System | Debian | Debian Linux | 9.0 | All | All | All |
| Operating System | Fedoraproject | Fedora | 33 | All | All | All |
| Operating System | Fedoraproject | Fedora | 34 | All | All | All |
| Operating System | Fedoraproject | Fedora | 35 | All | All | All |
| Application | Netapp | Snapmanager | - | All | All | All |
| Application | Netapp | Snapmanager | - | All | All | All |
| Application | Oracle | Business Activity Monitoring | 12.2.1.4.0 | All | All | All |
| Application | Oracle | Commerce Guided Search | 11.3.2 | All | All | All |
| Application | Oracle | Communications Billing And Revenue Management Elastic Charging Engine | 11.3 | All | All | All |
| Application | Oracle | Communications Billing And Revenue Management Elastic Charging Engine | 12.0 | All | All | All |
| Application | Oracle | Communications Cloud Native Core Automated Test Suite | 1.9.0 | All | All | All |
| Application | Oracle | Communications Cloud Native Core Binding Support Function | 1.10.0 | All | All | All |
| Application | Oracle | Communications Cloud Native Core Policy | 1.14.0 | All | All | All |
| Application | Oracle | Communications Unified Inventory Management | 7.3.4 | All | All | All |
| Application | Oracle | Communications Unified Inventory Management | 7.3.5 | All | All | All |
| Application | Oracle | Communications Unified Inventory Management | 7.4.0 | All | All | All |
| Application | Oracle | Communications Unified Inventory Management | 7.4.1 | All | All | All |
| Application | Oracle | Communications Unified Inventory Management | 7.4.2 | All | All | All |
| Application | Oracle | Retail Xstore Point Of Service | 16.0.6 | All | All | All |
| Application | Oracle | Retail Xstore Point Of Service | 17.0.4 | All | All | All |
| Application | Oracle | Retail Xstore Point Of Service | 18.0.3 | All | All | All |
| Application | Oracle | Retail Xstore Point Of Service | 19.0.2 | All | All | All |
| Application | Oracle | Retail Xstore Point Of Service | 20.0.1 | All | All | All |
| Application | Oracle | Utilities Framework | 4.2.0.2.0 | All | All | All |
| Application | Oracle | Utilities Framework | 4.2.0.3.0 | All | All | All |
| Application | Oracle | Utilities Framework | 4.3.0.1.0 | All | All | All |
| Application | Oracle | Utilities Framework | 4.3.0.6.0 | All | All | All |
| Application | Oracle | Utilities Framework | 4.4.0.0.0 | All | All | All |
| Application | Oracle | Utilities Framework | 4.4.0.2.0 | All | All | All |
| Application | Oracle | Utilities Framework | 4.4.0.3.0 | All | All | All |
| Application | Oracle | Utilities Testing Accelerator | 6.0.0.1.1 | All | All | All |
| Application | Oracle | Webcenter Portal | 12.2.1.3.0 | All | All | All |
| Application | Oracle | Webcenter Portal | 12.2.1.4.0 | All | All | All |
| Application | Xstream Project | Xstream | All | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| [SECURITY] Fedora 34 Update: xstream-1.4.18-2.fc34 - package-announce - Fedora Mailing-Lists | FEDORA | lists.fedoraproject.org | |
| [SECURITY] [DLA 2769-1] libxstream-java security update | MLIST | lists.debian.org | |
| [SECURITY] Fedora 33 Update: xstream-1.4.18-2.fc33 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org | ||
| Oracle Critical Patch Update Advisory - April 2022 | MISC | www.oracle.com | |
| August 2021 XStream Vulnerabilities in NetApp Products | NetApp Product Security | CONFIRM | security.netapp.com | |
| XStream is vulnerable to a Remote Command Execution attack · Advisory · x-stream/xstream · GitHub | CONFIRM | github.com | |
| VMware NSX Manager XStream Unauthenticated Remote Code Execution ≈ Packet Storm | MISC | packetstormsecurity.com | |
| Oracle Critical Patch Update Advisory - January 2022 | MISC | www.oracle.com | |
| Debian -- Security Information -- DSA-5004-1 libxstream-java | DEBIAN | www.debian.org | |
| [SECURITY] Fedora 34 Update: xstream-1.4.18-2.fc34 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org | ||
| [SECURITY] Fedora 35 Update: xstream-1.4.18-2.fc35 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org | ||
| XStream - CVE-2021-39144 | MISC | x-stream.github.io | |
| [SECURITY] Fedora 33 Update: xstream-1.4.18-2.fc33 - package-announce - Fedora Mailing-Lists | FEDORA | lists.fedoraproject.org | |
| [SECURITY] Fedora 35 Update: xstream-1.4.18-2.fc35 - package-announce - Fedora Mailing-Lists | FEDORA | lists.fedoraproject.org | |
| Oracle Critical Patch Update Advisory - July 2022 | N/A | www.oracle.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
| CISA Known Exploited Vulnerabilities catalog | CISA | www.cisa.gov | kev |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 159437 Oracle Enterprise Linux Security Update for xstream (ELSA-2021-3956)
- 178813 Debian Security Update for libxstream-java (DLA 2769-1)
- 178889 Debian Security Update for libxstream-java (DSA 5004-1)
- 178890 Debian Security Update for libxstream-java (DSA 5004-1)
- 182315 Debian Security Update for libxstream-java (CVE-2021-39144)
- 199237 Ubuntu Security Notification for XStream Vulnerabilities (USN-5946-1)
- 239729 Red Hat Update for xstream (RHSA-2021:3956)
- 281980 Fedora Security Update for xstream (FEDORA-2021-d894ca87dc)
- 281981 Fedora Security Update for xstream (FEDORA-2021-fbad11014a)
- 353077 Amazon Linux Security Advisory for xstream : ALAS2-2021-1729
- 375827 XStream Arbitrary Code Execution And Multiple vulnerabilities
- 376998 Alibaba Cloud Linux Security Update for xstream (ALINUX2-SA-2021:0065)
- 730669 VMware NSX Manager Remote Code Execution (RCE) Vulnerability (VMSA-2022-0027)
- 751258 OpenSUSE Security Update for xstream (openSUSE-SU-2021:3476-1)
- 751298 OpenSUSE Security Update for xstream (openSUSE-SU-2021:1401-1)
- 980140 Java (maven) Security Update for com.thoughtworks.xstream:xstream (GHSA-j9h8-phrw-h4fh)