Vulnerability CVE-2021-21345 - CERT Civis.Net

Vulnerability Name:

CVE-2021-21345 (CCN-198622)

Assigned:

2020-12-22

Published:

2021-03-12

Updated:

2022-10-21

Summary:

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker who has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.

CVSS v3 Severity:

9.9 Critical (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)
8.9 High (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): Low User Interaction (UI): None
Scope:	Scope (S): Changed
Impact Metrics:	Confidentiality (C): High Integrity (I): High Availibility (A): High

8.5 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H)
7.6 High (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): High Privileges Required (PR): Low User Interaction (UI): None
Scope:	Scope (S): Changed
Impact Metrics:	Confidentiality (C): High Integrity (I): High Availibility (A): High

8.5 High (REDHAT CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H)
7.6 High (REDHAT Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): High Privileges Required (PR): Low User Interaction (UI): None
Scope:	Scope (S): Changed
Impact Metrics:	Confidentiality (C): High Integrity (I): High Availibility (A): High

CVSS v2 Severity:

6.5 Medium (CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): Partial

7.1 High (CCN CVSS v2 Vector: AV:N/AC:H/Au:S/C:C/I:C/A:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): High Athentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): Complete Integrity (I): Complete Availibility (A): Complete

Vulnerability Type:

Vulnerability Consequences:

Gain Access

References:

Source: MITRE
Type: CNA
CVE-2021-21345

Source: MISC
Type: Release Notes, Third Party Advisory
http://x-stream.github.io/changes.html#1.4.16

Source: XF
Type: UNKNOWN
xstream-cve202121345-cmd-exec(198622)

Source: CONFIRM
Type: Third Party Advisory
https://github.com/x-stream/xstream/security/advisories/GHSA-hwpc-8xqv-jvj4

Source: MLIST
Type: Mailing List, Third Party Advisory
[activemq-users] 20210427 Release date for ActiveMQ v5.16.2 to fix CVEs

Source: MLIST
Type: Mailing List, Third Party Advisory
[jmeter-dev] 20210406 [GitHub] [jmeter] sseide opened a new pull request #655: update x-stream to 1.4.16 (from 1.4.15)

Source: MLIST
Type: Mailing List, Third Party Advisory
[debian-lts-announce] 20210403 [SECURITY] [DLA 2616-1] libxstream-java security update

Source: FEDORA
Type: Mailing List, Third Party Advisory
FEDORA-2021-fbad11014a

Source: FEDORA
Type: Mailing List, Third Party Advisory
FEDORA-2021-5e376c0ed9

Source: FEDORA
Type: Mailing List, Third Party Advisory
FEDORA-2021-d894ca87dc

Source: CONFIRM
Type: Third Party Advisory
https://security.netapp.com/advisory/ntap-20210430-0002/

Source: DEBIAN
Type: Third Party Advisory
DSA-5004

Source: CCN
Type: IBM Security Bulletin 6450783 (Watson Discovery)
IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in XStream

Source: CCN
Type: IBM Security Bulletin 6454803 (Spectrum Control)
Vulnerabilities in XStream, Java, OpenSSL, WebSphere Application Server Liberty and Node.js affect IBM Spectrum Control

Source: CCN
Type: IBM Security Bulletin 6466599 (Spectrum Protect Plus)
Vulnerabilities in MongoDB, Node.js, Docker, and XStream affect IBM Spectrum Protect Plus

Source: CCN
Type: IBM Security Bulletin 6468567 (InfoSphere Information Server)
IBM InfoSphere Information Server is affected by multiple vulnerabilities in XStream

Source: CCN
Type: IBM Security Bulletin 6483059 (Tivoli Netcool Configuration Manager)
XStream (Publicly disclosed vulnerability)

Source: CCN
Type: IBM Security Bulletin 6525260 (Spectrum Copy Data Management)
Vulnerabilities in XStream affect IBM Spectrum Copy Data Management

Source: CCN
Type: IBM Security Bulletin 6570915 (Data Risk Manager)
IBM Data Risk Manager is affected by multiple vulnerabilities including a remote code execution in Spring Framework (CVE-2022-22965)

Source: CCN
Type: IBM Security Bulletin 6607095 (Engineering Test Management)
Multiple vulnerabilites affect IBM Engineering Test Management product due to XStream

Source: CCN
Type: IBM Security Bulletin 6841035 (Security Verify Governance)
IBM Security Verify Governance is vulnerable to multiple security threats due to use of XStream

Source: N/A
Type: Third Party Advisory
N/A

Source: MISC
Type: Patch, Third Party Advisory
https://www.oracle.com/security-alerts/cpuApr2021.html

Source: MISC
Type: Patch, Vendor Advisory
https://www.oracle.com/security-alerts/cpujan2022.html

Source: CCN
Type: Oracle CPUJul2021
Oracle Critical Patch Update Advisory - July 2021

Source: CCN
Type: Oracle CPUOct2021
Oracle Critical Patch Update Advisory - October 2021

Source: MISC
Type: Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.html

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2021-21345

Source: CCN
Type: XStream GIT Repository
CVE-2021-21345: XStream is vulnerable to a Remote Command Execution attack

Source: MISC
Type: Exploit, Third Party Advisory
https://x-stream.github.io/CVE-2021-21345.html

Source: MISC
Type: Mitigation, Third Party Advisory
https://x-stream.github.io/security.html#workaround

Vulnerable Configuration:

Configuration 1:

cpe:/a:xstream_project:xstream:*:*:*:*:*:*:*:* (Version < 1.4.16)

Configuration 2:

cpe:/o:debian:debian_linux:9.0:*:*:*:*:*:*:*

OR cpe:/o:debian:debian_linux:10.0:*:*:*:*:*:*:*

OR cpe:/o:debian:debian_linux:11.0:*:*:*:*:*:*:*

Configuration 3:

cpe:/o:fedoraproject:fedora:33:*:*:*:*:*:*:*

OR cpe:/o:fedoraproject:fedora:34:*:*:*:*:*:*:*

OR cpe:/o:fedoraproject:fedora:35:*:*:*:*:*:*:*

Configuration 4:

cpe:/a:oracle:banking_platform:2.4.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:webcenter_portal:12.2.1.3.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:webcenter_portal:11.1.1.9.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:communications_unified_inventory_management:7.3.2:*:*:*:*:*:*:*

OR cpe:/a:oracle:communications_unified_inventory_management:7.3.4:*:*:*:*:*:*:*

OR cpe:/a:oracle:communications_unified_inventory_management:7.3.5:*:*:*:*:*:*:*

OR cpe:/a:oracle:communications_unified_inventory_management:7.4.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:communications_policy_management:12.5.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*

OR cpe:/a:oracle:banking_platform:2.7.1:*:*:*:*:*:*:*

OR cpe:/a:oracle:banking_platform:2.9.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:banking_virtual_account_management:14.3.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:business_activity_monitoring:11.1.1.9.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:business_activity_monitoring:12.2.1.3.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:business_activity_monitoring:12.2.1.4.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:communications_billing_and_revenue_management_elastic_charging_engine:12.0.0.3.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:communications_unified_inventory_management:7.4.1:*:*:*:*:*:*:*

OR cpe:/a:oracle:peoplesoft_enterprise_peopletools:8.59:*:*:*:*:*:*:*

OR cpe:/a:oracle:retail_xstore_point_of_service:16.0.6:*:*:*:*:*:*:*

OR cpe:/a:oracle:webcenter_portal:12.2.1.4.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:banking_enterprise_default_management:2.12.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:banking_platform:2.12.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:banking_virtual_account_management:14.2.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:banking_virtual_account_management:14.5.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:retail_xstore_point_of_service:17.0.4:*:*:*:*:*:*:*

OR cpe:/a:oracle:retail_xstore_point_of_service:18.0.3:*:*:*:*:*:*:*

OR cpe:/a:oracle:retail_xstore_point_of_service:19.0.2:*:*:*:*:*:*:*

OR cpe:/a:oracle:banking_enterprise_default_management:2.10.0:*:*:*:*:*:*:*

Configuration RedHat 1:

cpe:/o:redhat:enterprise_linux:7:*:*:*:*:*:*:*

Configuration RedHat 2:

cpe:/o:redhat:enterprise_linux:7::client:*:*:*:*:*

Configuration RedHat 3:

cpe:/o:redhat:enterprise_linux:7::computenode:*:*:*:*:*

Configuration RedHat 4:

cpe:/o:redhat:enterprise_linux:7::server:*:*:*:*:*

Configuration RedHat 5:

cpe:/o:redhat:enterprise_linux:7::workstation:*:*:*:*:*

Configuration CCN 1:

cpe:/a:xstream_project:xstream:1.4.15:*:*:*:*:*:*:*

AND

cpe:/a:ibm:tivoli_netcool_configuration_manager:6.4.2:*:*:*:*:*:*:*

OR cpe:/a:oracle:banking_platform:2.4:*:*:*:*:*:*:*

OR cpe:/a:oracle:webcenter_portal:11.1.1.9.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:webcenter_portal:12.2.1.3.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:infosphere_information_server:11.7:*:*:*:*:*:*:*

OR cpe:/a:ibm:spectrum_protect_plus:10.1.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_quality_manager:6.0.6:*:*:*:*:*:*:*

OR cpe:/a:oracle:communications_unified_inventory_management:7.3.2:*:*:*:*:*:*:*

OR cpe:/a:oracle:communications_unified_inventory_management:7.3.4:*:*:*:*:*:*:*

OR cpe:/a:oracle:communications_unified_inventory_management:7.3.5:*:*:*:*:*:*:*

OR cpe:/a:oracle:communications_unified_inventory_management:7.4.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:spectrum_control:5.3.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:spectrum_control:5.3.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:spectrum_control:5.3.3:*:*:*:*:*:*:*

OR cpe:/a:ibm:spectrum_control:5.3.0.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:watson_discovery:2.0.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_quality_manager:6.0.6.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:spectrum_control:5.3.4:*:standard:*:*:*:*:*

OR cpe:/a:ibm:spectrum_control:5.3.5:*:standard:*:*:*:*:*

OR cpe:/a:ibm:spectrum_control:5.3.6:*:*:*:*:*:*:*

OR cpe:/a:ibm:spectrum_control:5.3.7:*:*:*:*:*:*:*

OR cpe:/a:ibm:spectrum_control:5.4.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:engineering_test_management:7.0.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:engineering_test_management:7.0.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:watson_discovery:2.2.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:spectrum_protect_plus:10.1.8:*:*:*:*:*:*:*

OR cpe:/a:ibm:spectrum_copy_data_management:2.2.13:*:*:*:*:*:*:*

OR cpe:/a:ibm:security_verify_governance:10.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:engineering_test_management:7.0:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:8073	P	xstream-1.4.20-150200.3.25.1 on GA media (Moderate)	2023-06-20
oval:org.opensuse.security:def:95263	P	Security update for cifs-utils (Important)	2022-07-13
oval:org.opensuse.security:def:3432	P	apache2-mod_jk-1.2.40-7.3.1 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:95062	P	xstream-1.4.19-3.18.2 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:94890	P	conky-1.11.5-1.20 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:6033	P	Security update for gzip (Important)	2022-05-12
oval:org.opensuse.security:def:101603	P	Security update for jasper (Moderate)	2022-04-29
oval:org.opensuse.security:def:101976	P	Security update for the Linux Kernel (Live Patch 11 for SLE 15 SP3) (Important)	2022-04-25
oval:org.opensuse.security:def:113607	P	xstream-1.4.18-1.1 on GA media (Moderate)	2022-01-17
oval:org.opensuse.security:def:106990	P	xstream-1.4.18-1.1 on GA media (Moderate)	2021-10-01
oval:org.opensuse.security:def:97021	P	libvirglrenderer0-0.6.0-2.30 on GA media (Moderate)	2021-09-21
oval:org.opensuse.security:def:4481	P	Security update for the Linux Kernel (Live Patch 11 for SLE 12 SP5) (Important)	2021-09-16
oval:org.opensuse.security:def:111561	P	Security update for xstream (Important)	2021-07-11
oval:org.opensuse.security:def:111417	P	Security update for xstream (Important)	2021-06-03
oval:org.opensuse.security:def:75872	P	Security update for xstream (Important)	2021-06-02
oval:org.opensuse.security:def:108642	P	Security update for xstream (Important)	2021-06-02
oval:org.opensuse.security:def:94166	P	(Important)	2021-06-02
oval:org.opensuse.security:def:99951	P	(Important)	2021-06-02
oval:org.opensuse.security:def:66804	P	Security update for xstream (Important)	2021-06-02
oval:org.opensuse.security:def:95977	P	Security update for xstream (Important)	2021-06-02
oval:org.opensuse.security:def:76190	P	Security update for xstream (Important)	2021-06-02
oval:org.opensuse.security:def:94378	P	(Important)	2021-06-02
oval:org.opensuse.security:def:100286	P	(Important)	2021-06-02
oval:org.opensuse.security:def:67122	P	Security update for xstream (Important)	2021-06-02
oval:org.opensuse.security:def:74638	P	Security update for xstream (Important)	2021-06-02
oval:org.opensuse.security:def:93740	P	(Important)	2021-06-02
oval:org.opensuse.security:def:65570	P	Security update for xstream (Important)	2021-06-02
oval:org.opensuse.security:def:4551	P	Security update for xstream (Important)	2021-06-02
oval:org.opensuse.security:def:100615	P	(Important)	2021-06-02
oval:org.opensuse.security:def:74708	P	Security update for xstream (Important)	2021-06-02
oval:org.opensuse.security:def:108269	P	Security update for xstream (Important)	2021-06-02
oval:org.opensuse.security:def:93955	P	(Important)	2021-06-02
oval:org.opensuse.security:def:65640	P	Security update for xstream (Important)	2021-06-02
oval:org.opensuse.security:def:5715	P	Security update for xstream (Important)	2021-06-02
oval:org.opensuse.security:def:117783	P	Security update for xstream (Important)	2021-06-02
oval:org.opensuse.security:def:101778	P	Security update for xstream (Important)	2021-06-02
oval:com.redhat.rhsa:def:20211354	P	RHSA-2021:1354: xstream security update (Important)	2021-04-26