CVE-2021-39139

HIGH

Xstream < 1.4.18 - Insecure Deserialization

Title source: rule

Description

XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. A user is only affected if using the version out of the box with JDK 1.7u21 or below. However, this scenario can be adjusted easily to an external Xalan that works regardless of the version of the Java runtime. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.

References (11)

[Third Party Advisory] https://github.com/x-stream/xstream/security/advisories/GHSA-64xx-cq4q-mf44

[Mailing List, Third Party Advisory] https://lists.debian.org/debian-lts-announce/2021/09/msg00017.html

[Mailing List] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/

[Mailing List] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/

[Mailing List] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/

[Third Party Advisory] https://security.netapp.com/advisory/ntap-20210923-0003/

[Third Party Advisory] https://www.debian.org/security/2021/dsa-5004

[Patch, Third Party Advisory] https://www.oracle.com/security-alerts/cpuapr2022.html

[Patch, Third Party Advisory] https://www.oracle.com/security-alerts/cpujan2022.html

[Patch, Third Party Advisory] https://www.oracle.com/security-alerts/cpujul2022.html

[Vendor Advisory] https://x-stream.github.io/CVE-2021-39139.html

Scores

CVSS v3 8.5

EPSS 0.0080

EPSS Percentile 73.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

Classification

CWE

CWE-502 CWE-434

Status published

Affected Products (37)

xstream/xstream < 1.4.18

debian/debian_linux

debian/debian_linux

debian/debian_linux

fedoraproject/fedora

fedoraproject/fedora

fedoraproject/fedora

netapp/snapmanager

netapp/snapmanager

oracle/business_activity_monitoring

oracle/commerce_guided_search

oracle/communications_billing_and_revenue_management_elastic_charging_engine

oracle/communications_billing_and_revenue_management_elastic_charging_engine

oracle/communications_cloud_native_core_automated_test_suite

oracle/communications_cloud_native_core_binding_support_function

... and 22 more

Timeline

Published Aug 23, 2021

Tracked Since Feb 18, 2026