Vulnerability Description
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Netapp | Oncommand Insight | - |
| Apache | Activemq | < 5.15.14 |
| Apache | Jmeter | < 5.5 |
| Xstream | Xstream | < 1.4.16 |
| Debian | Debian Linux | 9.0 |
| Fedoraproject | Fedora | 33 |
| Oracle | Banking Enterprise Default Management | 2.10.0 |
| Oracle | Banking Platform | 2.4.0 |
| Oracle | Banking Virtual Account Management | 14.2.0 |
| Oracle | Business Activity Monitoring | 11.1.1.9.0 |
| Oracle | Communications Billing And Revenue Management Elastic Charging Engine | 12.0.0.3.0 |
| Oracle | Communications Policy Management | 12.5.0 |
| Oracle | Communications Unified Inventory Management | 7.3.2 |
| Oracle | Mysql Server | <= 5.7.36 |
| Oracle | Retail Xstore Point Of Service | 16.0.6 |
| Oracle | Webcenter Portal | 11.1.1.9.0 |
Related Weaknesses (CWE)
References
- http://x-stream.github.io/changes.html#1.4.16Release NotesThird Party Advisory
- https://github.com/x-stream/xstream/security/advisories/GHSA-59jw-jqf4-3wq3Third Party Advisory
- https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90aeIssue TrackingMailing ListThird Party Advisory
- https://lists.apache.org/thread.html/r9ac71b047767205aa22e3a08cb33f3e0586de6b2faIssue TrackingMailing ListThird Party Advisory
- https://lists.debian.org/debian-lts-announce/2021/04/msg00002.htmlMailing ListThird Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproMailing ListThird Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproMailing ListThird Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproMailing ListThird Party Advisory
- https://security.netapp.com/advisory/ntap-20210430-0002/Third Party Advisory
- https://www.debian.org/security/2021/dsa-5004Mailing ListThird Party Advisory
- https://www.oracle.com//security-alerts/cpujul2021.htmlThird Party Advisory
- https://www.oracle.com/security-alerts/cpujan2022.htmlPatchVendor Advisory
- https://www.oracle.com/security-alerts/cpuoct2021.htmlThird Party Advisory
- https://x-stream.github.io/CVE-2021-21344.htmlExploitThird Party Advisory
- https://x-stream.github.io/security.html#workaroundMitigationThird Party Advisory
FAQ
What is CVE-2021-21344?
CVE-2021-21344 is a vulnerability with a CVSS score of 5.3 (MEDIUM). XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to load and execute arbitrary code fr...
How severe is CVE-2021-21344?
CVE-2021-21344 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-21344?
Check the references section above for vendor advisories and patch information. Affected products include: Netapp Oncommand Insight, Apache Activemq, Apache Jmeter, Xstream Xstream, Debian Debian Linux.