Vulnerability Description
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability where the processed stream at unmarshalling time contains type information to recreate the formerly written objects. XStream creates therefore new instances based on these type information. An attacker can manipulate the processed input stream and replace or inject objects, that result in a server-side forgery request. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Netapp | Oncommand Insight | - |
| Apache | Activemq | < 5.15.14 |
| Apache | Jmeter | < 5.5 |
| Xstream | Xstream | < 1.4.16 |
| Debian | Debian Linux | 9.0 |
| Fedoraproject | Fedora | 33 |
| Oracle | Banking Enterprise Default Management | 2.10.0 |
| Oracle | Banking Platform | 2.4.0 |
| Oracle | Banking Virtual Account Management | 14.2.0 |
| Oracle | Business Activity Monitoring | 11.1.1.9.0 |
| Oracle | Communications Brm - Elastic Charging Engine | 12.0.0.3 |
| Oracle | Communications Policy Management | 12.5.0 |
| Oracle | Communications Unified Inventory Management | 7.3.2 |
| Oracle | Retail Xstore Point Of Service | 16.0.6 |
| Oracle | Webcenter Portal | 11.1.1.9.0 |
Related Weaknesses (CWE)
References
- http://x-stream.github.io/changes.html#1.4.16Release NotesThird Party Advisory
- https://github.com/x-stream/xstream/security/advisories/GHSA-hvv8-336g-rx3mThird Party Advisory
- https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90aeIssue TrackingMailing ListThird Party Advisory
- https://lists.apache.org/thread.html/r9ac71b047767205aa22e3a08cb33f3e0586de6b2faIssue TrackingMailing ListThird Party Advisory
- https://lists.debian.org/debian-lts-announce/2021/04/msg00002.htmlMailing ListThird Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproMailing ListThird Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproMailing ListThird Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproMailing ListThird Party Advisory
- https://security.netapp.com/advisory/ntap-20210430-0002/Third Party Advisory
- https://www.debian.org/security/2021/dsa-5004Mailing ListThird Party Advisory
- https://www.oracle.com//security-alerts/cpujul2021.htmlThird Party Advisory
- https://www.oracle.com/security-alerts/cpujan2022.htmlNot ApplicablePatchVendor Advisory
- https://www.oracle.com/security-alerts/cpuoct2021.htmlThird Party Advisory
- https://x-stream.github.io/CVE-2021-21342.htmlExploitThird Party Advisory
- https://x-stream.github.io/security.html#workaroundMitigationThird Party Advisory
FAQ
What is CVE-2021-21342?
CVE-2021-21342 is a vulnerability with a CVSS score of 5.3 (MEDIUM). XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability where the processed stream at unmarshalling time contains type informat...
How severe is CVE-2021-21342?
CVE-2021-21342 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-21342?
Check the references section above for vendor advisories and patch information. Affected products include: Netapp Oncommand Insight, Apache Activemq, Apache Jmeter, Xstream Xstream, Debian Debian Linux.