Vulnerability Name:

CVE-2021-29505 (CCN-202795)

Assigned:2021-05-14
Published:2021-05-14
Updated:2022-07-25
Summary:XStream is software for serializing Java objects to XML and back again. A vulnerability in XStream versions prior to 1.4.17 may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types is affected. The vulnerability is patched in version 1.4.17.
CVSS v3 Severity:8.8 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
7.7 High (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): High
8.8 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
7.7 High (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): High
7.5 High (REDHAT CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)
6.5 Medium (REDHAT Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): Low
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): High
CVSS v2 Severity:6.5 Medium (CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
9.0 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:C/I:C/A:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): Complete
Vulnerability Type:CWE-94
CWE-502
CWE-502
Vulnerability Consequences:Gain Access
References:Source: MITRE
Type: CNA
CVE-2021-29505

Source: XF
Type: UNKNOWN
xstream-cve202129505-cmd-exec(202795)

Source: MISC
Type: Patch, Third Party Advisory
https://github.com/x-stream/xstream/commit/24fac82191292c6ae25f94508d28b9823f83624f

Source: CCN
Type: XStream GIT Repository
XStream is vulnerable to a Remote Command Execution attack

Source: CONFIRM
Type: Third Party Advisory
https://github.com/x-stream/xstream/security/advisories/GHSA-7chv-rrw6-w6fc

Source: MLIST
Type: Mailing List, Third Party Advisory
[jmeter-dev] 20210607 [GitHub] [jmeter] sseide opened a new pull request #667: update x-stream to 1.4.17 (from 1.4.16)

Source: MLIST
Type: Mailing List, Third Party Advisory
[debian-lts-announce] 20210705 [SECURITY] [DLA 2704-1] libxstream-java security update

Source: FEDORA
Type: Mailing List, Third Party Advisory
FEDORA-2021-fbad11014a

Source: FEDORA
Type: Mailing List, Third Party Advisory
FEDORA-2021-5e376c0ed9

Source: FEDORA
Type: Mailing List, Third Party Advisory
FEDORA-2021-d894ca87dc

Source: CONFIRM
Type: Third Party Advisory
https://security.netapp.com/advisory/ntap-20210708-0007/

Source: DEBIAN
Type: Third Party Advisory
DSA-5004

Source: CCN
Type: IBM Security Bulletin 6466599 (Spectrum Protect Plus)
Vulnerabilities in MongoDB, Node.js, Docker, and XStream affect IBM Spectrum Protect Plus

Source: CCN
Type: IBM Security Bulletin 6483053 (Tivoli Netcool Configuration Manager)
XStream (Publicly disclosed vulnerability)

Source: CCN
Type: IBM Security Bulletin 6485153 (Spectrum Control)
Vulnerabilities in Node.js, XStream and Apache Commons affect IBM Spectrum Control

Source: CCN
Type: IBM Security Bulletin 6492209 (Watson Discovery)
IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in XStream

Source: CCN
Type: IBM Security Bulletin 6495929 (Sterling B2B Integrator)
XStream Vulnerability Affects IBM Sterling B2B Integrator (CVE-2021-29505)

Source: CCN
Type: IBM Security Bulletin 6509588 (InfoSphere Information Server)
IBM InfoSphere Information Server is affected by a vulnerability in XStream (CVE-2021-29505)

Source: CCN
Type: IBM Security Bulletin 6525260 (Spectrum Copy Data Management)
Vulnerabilities in XStream affect IBM Spectrum Copy Data Management

Source: CCN
Type: IBM Security Bulletin 6570915 (Data Risk Manager)
IBM Data Risk Manager is affected by multiple vulnerabilities including a remote code execution in Spring Framework (CVE-2022-22965)

Source: CCN
Type: IBM Security Bulletin 6601095 (Rational Quality Manager)
IBM Engineering Test Management is vulnerable to execute arbitrary commands on system due to XStream ( CVE-2021-29505 ).

Source: CCN
Type: IBM Security Bulletin 6841035 (Security Verify Governance)
IBM Security Verify Governance is vulnerable to multiple security threats due to use of XStream

Source: MISC
Type: Patch, Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html

Source: CCN
Type: Oracle CPUJan2022
Oracle Critical Patch Update Advisory - January 2022

Source: MISC
Type: Patch, Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.html

Source: CCN
Type: Oracle CPUJul2022
Oracle Critical Patch Update Advisory - July 2022

Source: N/A
Type: UNKNOWN
N/A

Source: CCN
Type: Oracle CPUOct2021
Oracle Critical Patch Update Advisory - October 2021

Source: MISC
Type: Mailing List, Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.html

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2021-29505

Vulnerable Configuration:Configuration 1:
  • cpe:/a:xstream_project:xstream:*:*:*:*:*:*:*:* (Version < 1.4.17)

  • Configuration 2:
  • cpe:/o:debian:debian_linux:9.0:*:*:*:*:*:*:*
  • OR cpe:/o:debian:debian_linux:10.0:*:*:*:*:*:*:*
  • OR cpe:/o:debian:debian_linux:11.0:*:*:*:*:*:*:*

  • Configuration 3:
  • cpe:/o:fedoraproject:fedora:33:*:*:*:*:*:*:*
  • OR cpe:/o:fedoraproject:fedora:34:*:*:*:*:*:*:*
  • OR cpe:/o:fedoraproject:fedora:35:*:*:*:*:*:*:*

  • Configuration 4:
  • cpe:/a:netapp:snapmanager:-:*:*:*:*:oracle:*:*
  • OR cpe:/a:netapp:snapmanager:-:*:*:*:*:sap:*:*

  • Configuration 5:
  • cpe:/a:oracle:webcenter_portal:12.2.1.3.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:webcenter_sites:12.2.1.3.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:communications_unified_inventory_management:7.3.4:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:communications_unified_inventory_management:7.3.5:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:communications_unified_inventory_management:7.4.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:webcenter_sites:12.2.1.4.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:webcenter_portal:12.2.1.4.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:enterprise_manager_ops_center:12.4.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:banking_credit_facilities_process_management:14.3.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:banking_corporate_lending_process_management:14.3.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:business_activity_monitoring:12.2.1.3.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:business_activity_monitoring:11.1.1.9.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:business_activity_monitoring:12.2.1.4.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:communications_unified_inventory_management:7.4.1:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_xstore_point_of_service:16.0.6:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_xstore_point_of_service:17.0.4:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_xstore_point_of_service:18.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_xstore_point_of_service:19.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_xstore_point_of_service:20.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:banking_supply_chain_finance:14.2.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:banking_trade_finance_process_management:14.5.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:banking_credit_facilities_process_management:14.2.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:banking_credit_facilities_process_management:14.5.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:banking_corporate_lending_process_management:14.2.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:banking_corporate_lending_process_management:14.5.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:banking_cash_management:14.2:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:banking_cash_management:14.3:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:banking_cash_management:14.5:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:communications_brm_-_elastic_charging_engine:12.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:communications_brm_-_elastic_charging_engine:11.3:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:communications_unified_inventory_management:7.4.2:*:*:*:*:*:*:*

  • Configuration RedHat 1:
  • cpe:/o:redhat:enterprise_linux:7:*:*:*:*:*:*:*

  • Configuration RedHat 2:
  • cpe:/o:redhat:enterprise_linux:7::client:*:*:*:*:*

  • Configuration RedHat 3:
  • cpe:/o:redhat:enterprise_linux:7::computenode:*:*:*:*:*

  • Configuration RedHat 4:
  • cpe:/o:redhat:enterprise_linux:7::server:*:*:*:*:*

  • Configuration RedHat 5:
  • cpe:/o:redhat:enterprise_linux:7::workstation:*:*:*:*:*

  • Configuration CCN 1:
  • cpe:/a:xstream_project:xstream:1.4.16:*:*:*:*:*:*:*
  • AND
  • cpe:/a:ibm:tivoli_netcool_configuration_manager:6.4.2:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:webcenter_portal:12.2.1.3.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:infosphere_information_server:11.7:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:spectrum_protect_plus:10.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:webcenter_sites:12.2.1.3.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_quality_manager:6.0.6:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:sterling_b2b_integrator:5.2.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:communications_unified_inventory_management:7.3.4:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:communications_unified_inventory_management:7.3.5:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:communications_unified_inventory_management:7.4.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:spectrum_control:5.3.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:spectrum_control:5.3.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:spectrum_control:5.3.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:spectrum_control:5.3.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:watson_discovery:2.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_quality_manager:6.0.6.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:spectrum_control:5.3.4:*:standard:*:*:*:*:*
  • OR cpe:/a:ibm:spectrum_control:5.3.5:*:standard:*:*:*:*:*
  • OR cpe:/a:ibm:spectrum_control:5.3.6:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:spectrum_control:5.3.7:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:sterling_b2b_integrator:6.1.0.0:*:*:*:standard:*:*:*
  • OR cpe:/a:ibm:engineering_test_management:7.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:spectrum_control:5.4.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:engineering_test_management:7.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:engineering_test_management:7.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:watson_discovery:2.2.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:spectrum_protect_plus:10.1.8:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:spectrum_copy_data_management:2.2.13:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_verify_governance:10.0:*:*:*:*:*:*:*

  • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:8073
    P
    xstream-1.4.20-150200.3.25.1 on GA media (Moderate)
    2023-06-20
    oval:org.opensuse.security:def:95292
    P
    Security update for ldb, samba (Important)
    2022-08-03
    oval:org.opensuse.security:def:3432
    P
    apache2-mod_jk-1.2.40-7.3.1 on GA media (Moderate)
    2022-06-28
    oval:org.opensuse.security:def:95062
    P
    xstream-1.4.19-3.18.2 on GA media (Moderate)
    2022-06-22
    oval:org.opensuse.security:def:94893
    P
    eog-41.1-150400.1.9 on GA media (Moderate)
    2022-06-22
    oval:org.opensuse.security:def:6063
    P
    Security update for MozillaFirefox (Important)
    2022-06-02
    oval:org.opensuse.security:def:102005
    P
    Security update for the Linux Kernel (Live Patch 11 for SLE 15 SP3) (Critical)
    2022-02-16
    oval:org.opensuse.security:def:101606
    P
    Security update for unbound (Important)
    2022-01-25
    oval:org.opensuse.security:def:113607
    P
    xstream-1.4.18-1.1 on GA media (Moderate)
    2022-01-17
    oval:org.opensuse.security:def:106990
    P
    xstream-1.4.18-1.1 on GA media (Moderate)
    2021-10-01
    oval:org.opensuse.security:def:4484
    P
    Security update for the Linux Kernel (Live Patch 14 for SLE 12 SP5) (Important)
    2021-09-16
    oval:com.redhat.rhsa:def:20212683
    P
    RHSA-2021:2683: xstream security update (Important)
    2021-07-12
    oval:org.opensuse.security:def:111587
    P
    Security update for xstream (Important)
    2021-07-11
    oval:org.opensuse.security:def:111457
    P
    Security update for xstream (Important)
    2021-06-24
    oval:org.opensuse.security:def:75901
    P
    Security update for xstream (Important)
    2021-06-17
    oval:org.opensuse.security:def:108671
    P
    Security update for xstream (Important)
    2021-06-17
    oval:org.opensuse.security:def:97074
    P
    Security update for xstream (Important)
    2021-06-17
    oval:org.opensuse.security:def:94173
    P
    (Important)
    2021-06-17
    oval:org.opensuse.security:def:99963
    P
    (Important)
    2021-06-17
    oval:org.opensuse.security:def:66833
    P
    Security update for xstream (Important)
    2021-06-17
    oval:org.opensuse.security:def:95979
    P
    Security update for xstream (Important)
    2021-06-17
    oval:org.opensuse.security:def:76220
    P
    Security update for xstream (Important)
    2021-06-17
    oval:org.opensuse.security:def:94385
    P
    (Important)
    2021-06-17
    oval:org.opensuse.security:def:100298
    P
    (Important)
    2021-06-17
    oval:org.opensuse.security:def:67152
    P
    Security update for xstream (Important)
    2021-06-17
    oval:org.opensuse.security:def:74641
    P
    Security update for xstream (Important)
    2021-06-17
    oval:org.opensuse.security:def:93747
    P
    (Important)
    2021-06-17
    oval:org.opensuse.security:def:65573
    P
    Security update for xstream (Important)
    2021-06-17
    oval:org.opensuse.security:def:4554
    P
    Security update for xstream (Important)
    2021-06-17
    oval:org.opensuse.security:def:100627
    P
    (Important)
    2021-06-17
    oval:org.opensuse.security:def:74711
    P
    Security update for xstream (Important)
    2021-06-17
    oval:org.opensuse.security:def:108272
    P
    Security update for xstream (Important)
    2021-06-17
    oval:org.opensuse.security:def:93962
    P
    (Important)
    2021-06-17
    oval:org.opensuse.security:def:65643
    P
    Security update for xstream (Important)
    2021-06-17
    oval:org.opensuse.security:def:5744
    P
    Security update for xstream (Important)
    2021-06-17
    oval:org.opensuse.security:def:117786
    P
    Security update for xstream (Important)
    2021-06-17
    oval:org.opensuse.security:def:101781
    P
    Security update for xstream (Important)
    2021-06-17
    BACK
    xstream_project xstream *
    debian debian linux 9.0
    debian debian linux 10.0
    debian debian linux 11.0
    fedoraproject fedora 33
    fedoraproject fedora 34
    fedoraproject fedora 35
    netapp snapmanager -
    netapp snapmanager -
    oracle webcenter portal 12.2.1.3.0
    oracle webcenter sites 12.2.1.3.0
    oracle communications unified inventory management 7.3.4
    oracle communications unified inventory management 7.3.5
    oracle communications unified inventory management 7.4.0
    oracle webcenter sites 12.2.1.4.0
    oracle webcenter portal 12.2.1.4.0
    oracle enterprise manager ops center 12.4.0.0
    oracle banking credit facilities process management 14.3.0
    oracle banking corporate lending process management 14.3.0
    oracle business activity monitoring 12.2.1.3.0
    oracle business activity monitoring 11.1.1.9.0
    oracle business activity monitoring 12.2.1.4.0
    oracle communications unified inventory management 7.4.1
    oracle retail xstore point of service 16.0.6
    oracle retail xstore point of service 17.0.4
    oracle retail xstore point of service 18.0.3
    oracle retail xstore point of service 19.0.2
    oracle retail xstore point of service 20.0.1
    oracle banking supply chain finance 14.2.0
    oracle banking trade finance process management 14.5.0
    oracle banking credit facilities process management 14.2.0
    oracle banking credit facilities process management 14.5.0
    oracle banking corporate lending process management 14.2.0
    oracle banking corporate lending process management 14.5.0
    oracle banking cash management 14.2
    oracle banking cash management 14.3
    oracle banking cash management 14.5
    oracle communications brm - elastic charging engine 12.0
    oracle communications brm - elastic charging engine 11.3
    oracle communications unified inventory management 7.4.2
    xstream_project xstream 1.4.16
    ibm tivoli netcool configuration manager 6.4.2
    oracle webcenter portal 12.2.1.3.0
    ibm infosphere information server 11.7
    ibm spectrum protect plus 10.1.0
    oracle webcenter sites 12.2.1.3.0
    ibm rational quality manager 6.0.6
    ibm sterling b2b integrator 5.2.0.0
    oracle communications unified inventory management 7.3.4
    oracle communications unified inventory management 7.3.5
    oracle communications unified inventory management 7.4.0
    ibm spectrum control 5.3.1
    ibm spectrum control 5.3.2
    ibm spectrum control 5.3.3
    ibm spectrum control 5.3.0.1
    ibm watson discovery 2.0.0
    ibm rational quality manager 6.0.6.1
    ibm spectrum control 5.3.4
    ibm spectrum control 5.3.5
    ibm spectrum control 5.3.6
    ibm spectrum control 5.3.7
    ibm sterling b2b integrator 6.1.0.0
    ibm engineering test management 7.0.0
    ibm spectrum control 5.4.1
    ibm engineering test management 7.0.1
    ibm engineering test management 7.0.2
    ibm watson discovery 2.2.1
    ibm spectrum protect plus 10.1.8
    ibm spectrum copy data management 2.2.13
    ibm security verify governance 10.0