Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2021-39139

XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. A user is only affected if using the version out of the box with JDK 1.7u21 or below. However, this scenario can be adjusted easily to an external Xalan that works regardless of the version of the Java runtime. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.

Published

2021-08-23T18:15:10.540

Last Modified

2025-05-23T16:52:49.707

Status

Analyzed

Source

[email protected]

Severity

CVSSv3.1: 8.5 (HIGH)

CVSSv2 Vector

AV:N/AC:L/Au:S/C:P/I:P/A:P

Access Vector: NETWORK
Access Complexity: LOW
Authentication: SINGLE
Confidentiality Impact: PARTIAL
Integrity Impact: PARTIAL
Availability Impact: PARTIAL

Exploitability Score

8.0

Impact Score

6.4

Weaknesses

Type: Primary
CWE-434
CWE-502
Type: Primary
CWE-434
CWE-502

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	xstream	xstream	< 1.4.18	Yes
Operating System	debian	debian_linux	9.0	Yes
Operating System	debian	debian_linux	10.0	Yes
Operating System	debian	debian_linux	11.0	Yes
Operating System	fedoraproject	fedora	33	Yes
Operating System	fedoraproject	fedora	34	Yes
Operating System	fedoraproject	fedora	35	Yes
Application	netapp	snapmanager	-	Yes
Application	netapp	snapmanager	-	Yes
Application	oracle	business_activity_monitoring	12.2.1.4.0	Yes
Application	oracle	commerce_guided_search	11.3.2	Yes
Application	oracle	communications_billing_and_revenue_management_elastic_charging_engine	11.3	Yes
Application	oracle	communications_billing_and_revenue_management_elastic_charging_engine	12.0	Yes
Application	oracle	communications_cloud_native_core_automated_test_suite	1.9.0	Yes
Application	oracle	communications_cloud_native_core_binding_support_function	1.10.0	Yes
Application	oracle	communications_cloud_native_core_policy	1.14.0	Yes
Application	oracle	communications_unified_inventory_management	7.3.4	Yes
Application	oracle	communications_unified_inventory_management	7.3.5	Yes
Application	oracle	communications_unified_inventory_management	7.4.0	Yes
Application	oracle	communications_unified_inventory_management	7.4.1	Yes
Application	oracle	communications_unified_inventory_management	7.4.2	Yes
Application	oracle	retail_xstore_point_of_service	16.0.6	Yes
Application	oracle	retail_xstore_point_of_service	17.0.4	Yes
Application	oracle	retail_xstore_point_of_service	18.0.3	Yes
Application	oracle	retail_xstore_point_of_service	19.0.2	Yes
Application	oracle	retail_xstore_point_of_service	20.0.1	Yes
Application	oracle	utilities_framework	4.2.0.2.0	Yes
Application	oracle	utilities_framework	4.2.0.3.0	Yes
Application	oracle	utilities_framework	4.3.0.1.0	Yes
Application	oracle	utilities_framework	4.3.0.6.0	Yes
Application	oracle	utilities_framework	4.4.0.0.0	Yes
Application	oracle	utilities_framework	4.4.0.2.0	Yes
Application	oracle	utilities_framework	4.4.0.3.0	Yes
Application	oracle	utilities_testing_accelerator	6.0.0.1.1	Yes
Application	oracle	webcenter_portal	12.2.1.3.0	Yes
Application	oracle	webcenter_portal	12.2.1.4.0	Yes

References

https://github.com/x-stream/xstream/security/advisories/GHSA-64xx-cq4q-mf44 Third Party Advisory ([email protected])
https://lists.debian.org/debian-lts-announce/2021/09/msg00017.html Mailing List, Third Party Advisory ([email protected])
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/ Mailing List ([email protected])
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/ Mailing List ([email protected])
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/ Mailing List ([email protected])
https://security.netapp.com/advisory/ntap-20210923-0003/ Third Party Advisory ([email protected])
https://www.debian.org/security/2021/dsa-5004 Third Party Advisory ([email protected])
https://www.oracle.com/security-alerts/cpuapr2022.html Patch, Third Party Advisory ([email protected])
https://www.oracle.com/security-alerts/cpujan2022.html Patch, Third Party Advisory ([email protected])
https://www.oracle.com/security-alerts/cpujul2022.html Patch, Third Party Advisory ([email protected])
https://x-stream.github.io/CVE-2021-39139.html Vendor Advisory ([email protected])
https://github.com/x-stream/xstream/security/advisories/GHSA-64xx-cq4q-mf44 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://lists.debian.org/debian-lts-announce/2021/09/msg00017.html Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/ Mailing List (af854a3a-2127-422b-91ae-364da2661108)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/ Mailing List (af854a3a-2127-422b-91ae-364da2661108)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/ Mailing List (af854a3a-2127-422b-91ae-364da2661108)
https://security.netapp.com/advisory/ntap-20210923-0003/ Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.debian.org/security/2021/dsa-5004 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.oracle.com/security-alerts/cpuapr2022.html Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.oracle.com/security-alerts/cpujan2022.html Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.oracle.com/security-alerts/cpujul2022.html Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://x-stream.github.io/CVE-2021-39139.html Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)