Vulnerability Name: CVE-2021-29505 (CCN-202795) Assigned: 2021-05-14 Published: 2021-05-14 Updated: 2022-07-25 Summary: XStream is software for serializing Java objects to XML and back again. A vulnerability in XStream versions prior to 1.4.17 may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types is affected. The vulnerability is patched in version 1.4.17. CVSS v3 Severity: 8.8 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H )7.7 High (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C )Exploitability Metrics: Attack Vector (AV): NetworkAttack Complexity (AC): LowPrivileges Required (PR): LowUser Interaction (UI): NoneScope: Scope (S): UnchangedImpact Metrics: Confidentiality (C): HighIntegrity (I): HighAvailibility (A): High
8.8 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H )7.7 High (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C )Exploitability Metrics: Attack Vector (AV): NetworkAttack Complexity (AC): LowPrivileges Required (PR): LowUser Interaction (UI): NoneScope: Scope (S): UnchangedImpact Metrics: Confidentiality (C): HighIntegrity (I): HighAvailibility (A): High
7.5 High (REDHAT CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H )6.5 Medium (REDHAT Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C )Exploitability Metrics: Attack Vector (AV): NetworkAttack Complexity (AC): HighPrivileges Required (PR): LowUser Interaction (UI): NoneScope: Scope (S): UnchangedImpact Metrics: Confidentiality (C): HighIntegrity (I): HighAvailibility (A): High
CVSS v2 Severity: 6.5 Medium (CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P )Exploitability Metrics: Access Vector (AV): NetworkAccess Complexity (AC): LowAuthentication (Au): Single_InstanceImpact Metrics: Confidentiality (C): PartialIntegrity (I): PartialAvailibility (A): Partial
9.0 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:C/I:C/A:C )Exploitability Metrics: Access Vector (AV): NetworkAccess Complexity (AC): LowAthentication (Au): Single_InstanceImpact Metrics: Confidentiality (C): CompleteIntegrity (I): CompleteAvailibility (A): Complete
Vulnerability Type: CWE-94 CWE-502 CWE-502 Vulnerability Consequences: Gain Access References: Source: MITRE Type: CNACVE-2021-29505 Source: XF Type: UNKNOWNxstream-cve202129505-cmd-exec(202795) Source: MISC Type: Patch, Third Party Advisoryhttps://github.com/x-stream/xstream/commit/24fac82191292c6ae25f94508d28b9823f83624f Source: CCN Type: XStream GIT RepositoryXStream is vulnerable to a Remote Command Execution attack Source: CONFIRM Type: Third Party Advisoryhttps://github.com/x-stream/xstream/security/advisories/GHSA-7chv-rrw6-w6fc Source: MLIST Type: Mailing List, Third Party Advisory[jmeter-dev] 20210607 [GitHub] [jmeter] sseide opened a new pull request #667: update x-stream to 1.4.17 (from 1.4.16) Source: MLIST Type: Mailing List, Third Party Advisory[debian-lts-announce] 20210705 [SECURITY] [DLA 2704-1] libxstream-java security update Source: FEDORA Type: Mailing List, Third Party AdvisoryFEDORA-2021-fbad11014a Source: FEDORA Type: Mailing List, Third Party AdvisoryFEDORA-2021-5e376c0ed9 Source: FEDORA Type: Mailing List, Third Party AdvisoryFEDORA-2021-d894ca87dc Source: CONFIRM Type: Third Party Advisoryhttps://security.netapp.com/advisory/ntap-20210708-0007/ Source: DEBIAN Type: Third Party AdvisoryDSA-5004 Source: CCN Type: IBM Security Bulletin 6466599 (Spectrum Protect Plus)Vulnerabilities in MongoDB, Node.js, Docker, and XStream affect IBM Spectrum Protect Plus Source: CCN Type: IBM Security Bulletin 6483053 (Tivoli Netcool Configuration Manager) XStream (Publicly disclosed vulnerability) Source: CCN Type: IBM Security Bulletin 6485153 (Spectrum Control)Vulnerabilities in Node.js, XStream and Apache Commons affect IBM Spectrum Control Source: CCN Type: IBM Security Bulletin 6492209 (Watson Discovery)IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in XStream Source: CCN Type: IBM Security Bulletin 6495929 (Sterling B2B Integrator)XStream Vulnerability Affects IBM Sterling B2B Integrator (CVE-2021-29505) Source: CCN Type: IBM Security Bulletin 6509588 (InfoSphere Information Server)IBM InfoSphere Information Server is affected by a vulnerability in XStream (CVE-2021-29505) Source: CCN Type: IBM Security Bulletin 6525260 (Spectrum Copy Data Management)Vulnerabilities in XStream affect IBM Spectrum Copy Data Management Source: CCN Type: IBM Security Bulletin 6570915 (Data Risk Manager)IBM Data Risk Manager is affected by multiple vulnerabilities including a remote code execution in Spring Framework (CVE-2022-22965) Source: CCN Type: IBM Security Bulletin 6601095 (Rational Quality Manager)IBM Engineering Test Management is vulnerable to execute arbitrary commands on system due to XStream ( CVE-2021-29505 ). Source: CCN Type: IBM Security Bulletin 6841035 (Security Verify Governance)IBM Security Verify Governance is vulnerable to multiple security threats due to use of XStream Source: MISC Type: Patch, Third Party Advisoryhttps://www.oracle.com/security-alerts/cpuapr2022.html Source: CCN Type: Oracle CPUJan2022Oracle Critical Patch Update Advisory - January 2022 Source: MISC Type: Patch, Third Party Advisoryhttps://www.oracle.com/security-alerts/cpujan2022.html Source: CCN Type: Oracle CPUJul2022Oracle Critical Patch Update Advisory - July 2022 Source: N/A Type: UNKNOWNN/A Source: CCN Type: Oracle CPUOct2021Oracle Critical Patch Update Advisory - October 2021 Source: MISC Type: Mailing List, Third Party Advisoryhttps://www.oracle.com/security-alerts/cpuoct2021.html Source: CCN Type: WhiteSource Vulnerability DatabaseCVE-2021-29505 Vulnerable Configuration: Configuration 1 :cpe:/a:xstream_project:xstream:*:*:*:*:*:*:*:* (Version < 1.4.17)Configuration 2 :cpe:/o:debian:debian_linux:9.0:*:*:*:*:*:*:* OR cpe:/o:debian:debian_linux:10.0:*:*:*:*:*:*:* OR cpe:/o:debian:debian_linux:11.0:*:*:*:*:*:*:* Configuration 3 :cpe:/o:fedoraproject:fedora:33:*:*:*:*:*:*:* OR cpe:/o:fedoraproject:fedora:34:*:*:*:*:*:*:* OR cpe:/o:fedoraproject:fedora:35:*:*:*:*:*:*:* Configuration 4 :cpe:/a:netapp:snapmanager:-:*:*:*:*:oracle:*:* OR cpe:/a:netapp:snapmanager:-:*:*:*:*:sap:*:* Configuration 5 :cpe:/a:oracle:webcenter_portal:12.2.1.3.0:*:*:*:*:*:*:* OR cpe:/a:oracle:webcenter_sites:12.2.1.3.0:*:*:*:*:*:*:* OR cpe:/a:oracle:communications_unified_inventory_management:7.3.4:*:*:*:*:*:*:* OR cpe:/a:oracle:communications_unified_inventory_management:7.3.5:*:*:*:*:*:*:* OR cpe:/a:oracle:communications_unified_inventory_management:7.4.0:*:*:*:*:*:*:* OR cpe:/a:oracle:webcenter_sites:12.2.1.4.0:*:*:*:*:*:*:* OR cpe:/a:oracle:webcenter_portal:12.2.1.4.0:*:*:*:*:*:*:* OR cpe:/a:oracle:enterprise_manager_ops_center:12.4.0.0:*:*:*:*:*:*:* OR cpe:/a:oracle:banking_credit_facilities_process_management:14.3.0:*:*:*:*:*:*:* OR cpe:/a:oracle:banking_corporate_lending_process_management:14.3.0:*:*:*:*:*:*:* OR cpe:/a:oracle:business_activity_monitoring:12.2.1.3.0:*:*:*:*:*:*:* OR cpe:/a:oracle:business_activity_monitoring:11.1.1.9.0:*:*:*:*:*:*:* OR cpe:/a:oracle:business_activity_monitoring:12.2.1.4.0:*:*:*:*:*:*:* OR cpe:/a:oracle:communications_unified_inventory_management:7.4.1:*:*:*:*:*:*:* OR cpe:/a:oracle:retail_xstore_point_of_service:16.0.6:*:*:*:*:*:*:* OR cpe:/a:oracle:retail_xstore_point_of_service:17.0.4:*:*:*:*:*:*:* OR cpe:/a:oracle:retail_xstore_point_of_service:18.0.3:*:*:*:*:*:*:* OR cpe:/a:oracle:retail_xstore_point_of_service:19.0.2:*:*:*:*:*:*:* OR cpe:/a:oracle:retail_xstore_point_of_service:20.0.1:*:*:*:*:*:*:* OR cpe:/a:oracle:banking_supply_chain_finance:14.2.0:*:*:*:*:*:*:* OR cpe:/a:oracle:banking_trade_finance_process_management:14.5.0:*:*:*:*:*:*:* OR cpe:/a:oracle:banking_credit_facilities_process_management:14.2.0:*:*:*:*:*:*:* OR cpe:/a:oracle:banking_credit_facilities_process_management:14.5.0:*:*:*:*:*:*:* OR cpe:/a:oracle:banking_corporate_lending_process_management:14.2.0:*:*:*:*:*:*:* OR cpe:/a:oracle:banking_corporate_lending_process_management:14.5.0:*:*:*:*:*:*:* OR cpe:/a:oracle:banking_cash_management:14.2:*:*:*:*:*:*:* OR cpe:/a:oracle:banking_cash_management:14.3:*:*:*:*:*:*:* OR cpe:/a:oracle:banking_cash_management:14.5:*:*:*:*:*:*:* OR cpe:/a:oracle:communications_brm_-_elastic_charging_engine:12.0:*:*:*:*:*:*:* OR cpe:/a:oracle:communications_brm_-_elastic_charging_engine:11.3:*:*:*:*:*:*:* OR cpe:/a:oracle:communications_unified_inventory_management:7.4.2:*:*:*:*:*:*:* Configuration RedHat 1 :cpe:/o:redhat:enterprise_linux:7:*:*:*:*:*:*:* Configuration RedHat 2 :cpe:/o:redhat:enterprise_linux:7::client:*:*:*:*:* Configuration RedHat 3 :cpe:/o:redhat:enterprise_linux:7::computenode:*:*:*:*:* Configuration RedHat 4 :cpe:/o:redhat:enterprise_linux:7::server:*:*:*:*:* Configuration RedHat 5 :cpe:/o:redhat:enterprise_linux:7::workstation:*:*:*:*:* Configuration CCN 1 :cpe:/a:xstream_project:xstream:1.4.16:*:*:*:*:*:*:* AND cpe:/a:ibm:tivoli_netcool_configuration_manager:6.4.2:*:*:*:*:*:*:* OR cpe:/a:oracle:webcenter_portal:12.2.1.3.0:*:*:*:*:*:*:* OR cpe:/a:ibm:infosphere_information_server:11.7:*:*:*:*:*:*:* OR cpe:/a:ibm:spectrum_protect_plus:10.1.0:*:*:*:*:*:*:* OR cpe:/a:oracle:webcenter_sites:12.2.1.3.0:*:*:*:*:*:*:* OR cpe:/a:ibm:rational_quality_manager:6.0.6:*:*:*:*:*:*:* OR cpe:/a:ibm:sterling_b2b_integrator:5.2.0.0:*:*:*:*:*:*:* OR cpe:/a:oracle:communications_unified_inventory_management:7.3.4:*:*:*:*:*:*:* OR cpe:/a:oracle:communications_unified_inventory_management:7.3.5:*:*:*:*:*:*:* OR cpe:/a:oracle:communications_unified_inventory_management:7.4.0:*:*:*:*:*:*:* OR cpe:/a:ibm:spectrum_control:5.3.1:*:*:*:*:*:*:* OR cpe:/a:ibm:spectrum_control:5.3.2:*:*:*:*:*:*:* OR cpe:/a:ibm:spectrum_control:5.3.3:*:*:*:*:*:*:* OR cpe:/a:ibm:spectrum_control:5.3.0.1:*:*:*:*:*:*:* OR cpe:/a:ibm:watson_discovery:2.0.0:*:*:*:*:*:*:* OR cpe:/a:ibm:rational_quality_manager:6.0.6.1:*:*:*:*:*:*:* OR cpe:/a:ibm:spectrum_control:5.3.4:*:standard:*:*:*:*:* OR cpe:/a:ibm:spectrum_control:5.3.5:*:standard:*:*:*:*:* OR cpe:/a:ibm:spectrum_control:5.3.6:*:*:*:*:*:*:* OR cpe:/a:ibm:spectrum_control:5.3.7:*:*:*:*:*:*:* OR cpe:/a:ibm:sterling_b2b_integrator:6.1.0.0:*:*:*:standard:*:*:* OR cpe:/a:ibm:engineering_test_management:7.0.0:*:*:*:*:*:*:* OR cpe:/a:ibm:spectrum_control:5.4.1:*:*:*:*:*:*:* OR cpe:/a:ibm:engineering_test_management:7.0.1:*:*:*:*:*:*:* OR cpe:/a:ibm:engineering_test_management:7.0.2:*:*:*:*:*:*:* OR cpe:/a:ibm:watson_discovery:2.2.1:*:*:*:*:*:*:* OR cpe:/a:ibm:spectrum_protect_plus:10.1.8:*:*:*:*:*:*:* OR cpe:/a:ibm:spectrum_copy_data_management:2.2.13:*:*:*:*:*:*:* OR cpe:/a:ibm:security_verify_governance:10.0:*:*:*:*:*:*:* Denotes that component is vulnerable Oval Definitions BACK
xstream_project xstream *
debian debian linux 9.0
debian debian linux 10.0
debian debian linux 11.0
fedoraproject fedora 33
fedoraproject fedora 34
fedoraproject fedora 35
netapp snapmanager -
netapp snapmanager -
oracle webcenter portal 12.2.1.3.0
oracle webcenter sites 12.2.1.3.0
oracle communications unified inventory management 7.3.4
oracle communications unified inventory management 7.3.5
oracle communications unified inventory management 7.4.0
oracle webcenter sites 12.2.1.4.0
oracle webcenter portal 12.2.1.4.0
oracle enterprise manager ops center 12.4.0.0
oracle banking credit facilities process management 14.3.0
oracle banking corporate lending process management 14.3.0
oracle business activity monitoring 12.2.1.3.0
oracle business activity monitoring 11.1.1.9.0
oracle business activity monitoring 12.2.1.4.0
oracle communications unified inventory management 7.4.1
oracle retail xstore point of service 16.0.6
oracle retail xstore point of service 17.0.4
oracle retail xstore point of service 18.0.3
oracle retail xstore point of service 19.0.2
oracle retail xstore point of service 20.0.1
oracle banking supply chain finance 14.2.0
oracle banking trade finance process management 14.5.0
oracle banking credit facilities process management 14.2.0
oracle banking credit facilities process management 14.5.0
oracle banking corporate lending process management 14.2.0
oracle banking corporate lending process management 14.5.0
oracle banking cash management 14.2
oracle banking cash management 14.3
oracle banking cash management 14.5
oracle communications brm - elastic charging engine 12.0
oracle communications brm - elastic charging engine 11.3
oracle communications unified inventory management 7.4.2
xstream_project xstream 1.4.16
ibm tivoli netcool configuration manager 6.4.2
oracle webcenter portal 12.2.1.3.0
ibm infosphere information server 11.7
ibm spectrum protect plus 10.1.0
oracle webcenter sites 12.2.1.3.0
ibm rational quality manager 6.0.6
ibm sterling b2b integrator 5.2.0.0
oracle communications unified inventory management 7.3.4
oracle communications unified inventory management 7.3.5
oracle communications unified inventory management 7.4.0
ibm spectrum control 5.3.1
ibm spectrum control 5.3.2
ibm spectrum control 5.3.3
ibm spectrum control 5.3.0.1
ibm watson discovery 2.0.0
ibm rational quality manager 6.0.6.1
ibm spectrum control 5.3.4
ibm spectrum control 5.3.5
ibm spectrum control 5.3.6
ibm spectrum control 5.3.7
ibm sterling b2b integrator 6.1.0.0
ibm engineering test management 7.0.0
ibm spectrum control 5.4.1
ibm engineering test management 7.0.1
ibm engineering test management 7.0.2
ibm watson discovery 2.2.1
ibm spectrum protect plus 10.1.8
ibm spectrum copy data management 2.2.13
ibm security verify governance 10.0