Vulnerability Name: CVE-2021-39152 (CCN-208120) Assigned: 2021-08-22 Published: 2021-08-22 Updated: 2022-10-05 Summary: XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream with a Java runtime version 14 to 8. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the [Security Framework](https://x-stream.github.io/security.html#framework), you will have to use at least version 1.4.18. CVSS v3 Severity: 8.5 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H 7.4 High (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitability Metrics: Attack Vector (AV): NetworkAttack Complexity (AC): HighPrivileges Required (PR): LowUser Interaction (UI): NoneScope: Scope (S): ChangedImpact Metrics: Confidentiality (C): HighIntegrity (I): HighAvailibility (A): High
8.5 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H 7.4 High (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitability Metrics: Attack Vector (AV): NetworkAttack Complexity (AC): HighPrivileges Required (PR): LowUser Interaction (UI): NoneScope: Scope (S): ChangedImpact Metrics: Confidentiality (C): HighIntegrity (I): HighAvailibility (A): High
8.5 High (REDHAT CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H 7.4 High (REDHAT Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitability Metrics: Attack Vector (AV): NetworkAttack Complexity (AC): HighPrivileges Required (PR): LowUser Interaction (UI): NoneScope: Scope (S): ChangedImpact Metrics: Confidentiality (C): HighIntegrity (I): HighAvailibility (A): High
CVSS v2 Severity: 6.0 Medium (CVSS v2 Vector: AV:N/AC:M/Au:S/C:P/I:P/A:P Exploitability Metrics: Access Vector (AV): NetworkAccess Complexity (AC): MediumAuthentication (Au): Single_InstanceImpact Metrics: Confidentiality (C): PartialIntegrity (I): PartialAvailibility (A): Partial
7.1 High (CCN CVSS v2 Vector: AV:N/AC:H/Au:S/C:C/I:C/A:C Exploitability Metrics: Access Vector (AV): NetworkAccess Complexity (AC): HighAthentication (Au): Single_InstanceImpact Metrics: Confidentiality (C): CompleteIntegrity (I): CompleteAvailibility (A): Complete
Vulnerability Type: CWE-918 CWE-502 Vulnerability Consequences: Gain Access References: Source: MITRECVE-2021-39152 xstream-cve202139152-ssrf(208120) https://github.com/x-stream/xstream/security/advisories/GHSA-xw4p-crpj-vjx2 [debian-lts-announce] 20210929 [SECURITY] [DLA 2769-1] libxstream-java security update FEDORA-2021-fbad11014a FEDORA-2021-5e376c0ed9 FEDORA-2021-d894ca87dc https://security.netapp.com/advisory/ntap-20210923-0003/ DSA-5004 IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in XStream Vulnerabilities in XStream affect IBM Spectrum Protect Plus Vulnerabilities in XStream affect IBM Spectrum Copy Data Management IBM Data Risk Manager is affected by multiple vulnerabilities including a remote code execution in Spring Framework (CVE-2022-22965) IBM InfoSphere Information Server is affected by multiple vulnerabilities in XStream IBM Spectrum Control is vulnerable to multiple weaknesses related to XStream, Apache Xerces2, Jackson, OpenSSL, and Java SE IBM Security Verify Governance is vulnerable to multiple security threats due to use of XStream Due to the use of XStream, IBM Tivoli Netcool Configuration Manager is vulnerable to a SSRF attack (CVE-2021-39152, CVE-2021-39150) Atlas eDiscovery Process Management is affected by a vulnerable xstream-1.4.17.jar https://www.oracle.com/security-alerts/cpuapr2022.html https://www.oracle.com/security-alerts/cpujan2022.html N/A CVE-2021-39152: A Server-Side Forgery Request can be activated unmarshalling with XStream to access data streams from an arbitrary URL referencing a resource in an intranet or the local host https://x-stream.github.io/CVE-2021-39152.html Vulnerable Configuration: Configuration 1 :cpe:/a:xstream_project:xstream:*:*:*:*:*:*:*:* (Version < 1.4.18)Configuration 2 :cpe:/o:fedoraproject:fedora:33:*:*:*:*:*:*:* OR cpe:/o:fedoraproject:fedora:34:*:*:*:*:*:*:* OR cpe:/o:fedoraproject:fedora:35:*:*:*:*:*:*:* Configuration 3 :cpe:/o:debian:debian_linux:9.0:*:*:*:*:*:*:* OR cpe:/o:debian:debian_linux:10.0:*:*:*:*:*:*:* OR cpe:/o:debian:debian_linux:11.0:*:*:*:*:*:*:* Configuration 4 :cpe:/a:netapp:snapmanager:-:*:*:*:*:oracle:*:* OR cpe:/a:netapp:snapmanager:-:*:*:*:*:sap:*:* Configuration 5 :cpe:/a:oracle:webcenter_portal:12.2.1.3.0:*:*:*:*:*:*:* OR cpe:/a:oracle:utilities_framework:4.2.0.3.0:*:*:*:*:*:*:* OR cpe:/a:oracle:utilities_framework:4.2.0.2.0:*:*:*:*:*:*:* OR cpe:/a:oracle:utilities_framework:4.3.0.6.0:*:*:*:*:*:*:* OR cpe:/a:oracle:utilities_framework:4.4.0.0.0:*:*:*:*:*:*:* OR cpe:/a:oracle:communications_unified_inventory_management:7.3.4:*:*:*:*:*:*:* OR cpe:/a:oracle:communications_unified_inventory_management:7.3.5:*:*:*:*:*:*:* OR cpe:/a:oracle:communications_unified_inventory_management:7.4.0:*:*:*:*:*:*:* OR cpe:/a:oracle:webcenter_portal:12.2.1.4.0:*:*:*:*:*:*:* OR cpe:/a:oracle:utilities_framework:4.4.0.2.0:*:*:*:*:*:*:* OR cpe:/a:oracle:communications_billing_and_revenue_management_elastic_charging_engine:11.3:*:*:*:*:*:*:* OR cpe:/a:oracle:communications_billing_and_revenue_management_elastic_charging_engine:12.0:*:*:*:*:*:*:* OR cpe:/a:oracle:business_activity_monitoring:12.2.1.4.0:*:*:*:*:*:*:* OR cpe:/a:oracle:commerce_guided_search:11.3.2:*:*:*:*:*:*:* OR cpe:/a:oracle:communications_unified_inventory_management:7.4.1:*:*:*:*:*:*:* OR cpe:/a:oracle:retail_xstore_point_of_service:16.0.6:*:*:*:*:*:*:* OR cpe:/a:oracle:retail_xstore_point_of_service:17.0.4:*:*:*:*:*:*:* OR cpe:/a:oracle:retail_xstore_point_of_service:18.0.3:*:*:*:*:*:*:* OR cpe:/a:oracle:retail_xstore_point_of_service:19.0.2:*:*:*:*:*:*:* OR cpe:/a:oracle:retail_xstore_point_of_service:20.0.1:*:*:*:*:*:*:* OR cpe:/a:oracle:utilities_framework:4.4.0.3.0:*:*:*:*:*:*:* OR cpe:/a:oracle:utilities_testing_accelerator:6.0.0.1.1:*:*:*:*:*:*:* OR cpe:/a:oracle:communications_cloud_native_core_binding_support_function:1.10.0:*:*:*:*:*:*:* OR cpe:/a:oracle:utilities_framework:4.3.0.1.0:*:*:*:*:*:*:* OR cpe:/a:oracle:communications_cloud_native_core_policy:1.14.0:*:*:*:*:*:*:* OR cpe:/a:oracle:communications_unified_inventory_management:7.4.2:*:*:*:*:*:*:* OR cpe:/a:oracle:communications_cloud_native_core_automated_test_suite:1.9.0:*:*:*:*:*:*:* Configuration RedHat 1 :cpe:/o:redhat:enterprise_linux:7:*:*:*:*:*:*:* Configuration RedHat 2 :cpe:/o:redhat:enterprise_linux:7::client:*:*:*:*:* Configuration RedHat 3 :cpe:/o:redhat:enterprise_linux:7::computenode:*:*:*:*:* Configuration RedHat 4 :cpe:/o:redhat:enterprise_linux:7::server:*:*:*:*:* Configuration RedHat 5 :cpe:/o:redhat:enterprise_linux:7::workstation:*:*:*:*:* Configuration CCN 1 :cpe:/a:xstream_project:xstream:1.4.17:*:*:*:*:*:*:* AND cpe:/a:ibm:atlas_ediscovery_process_management:6.0.3:*:*:*:*:*:*:* OR cpe:/a:ibm:tivoli_netcool_configuration_manager:6.4.2:*:*:*:*:*:*:* OR cpe:/a:ibm:infosphere_information_server:11.7:*:*:*:*:*:*:* OR cpe:/a:ibm:watson_discovery:2.0.0:*:*:*:*:*:*:* OR cpe:/a:ibm:watson_discovery:2.2.1:*:*:*:*:*:*:* OR cpe:/a:ibm:spectrum_copy_data_management:2.2.13:*:*:*:*:*:*:* OR cpe:/a:ibm:security_verify_governance:10.0:*:*:*:*:*:*:* Oval Definitions BACK
xstream_project xstream *
fedoraproject fedora 33
fedoraproject fedora 34
fedoraproject fedora 35
debian debian linux 9.0
debian debian linux 10.0
debian debian linux 11.0
netapp snapmanager -
netapp snapmanager -
oracle webcenter portal 12.2.1.3.0
oracle utilities framework 4.2.0.3.0
oracle utilities framework 4.2.0.2.0
oracle utilities framework 4.3.0.6.0
oracle utilities framework 4.4.0.0.0
oracle communications unified inventory management 7.3.4
oracle communications unified inventory management 7.3.5
oracle communications unified inventory management 7.4.0
oracle webcenter portal 12.2.1.4.0
oracle utilities framework 4.4.0.2.0
oracle communications billing and revenue management elastic charging engine 11.3
oracle communications billing and revenue management elastic charging engine 12.0
oracle business activity monitoring 12.2.1.4.0
oracle commerce guided search 11.3.2
oracle communications unified inventory management 7.4.1
oracle retail xstore point of service 16.0.6
oracle retail xstore point of service 17.0.4
oracle retail xstore point of service 18.0.3
oracle retail xstore point of service 19.0.2
oracle retail xstore point of service 20.0.1
oracle utilities framework 4.4.0.3.0
oracle utilities testing accelerator 6.0.0.1.1
oracle communications cloud native core binding support function 1.10.0
oracle utilities framework 4.3.0.1.0
oracle communications cloud native core policy 1.14.0
oracle communications unified inventory management 7.4.2
oracle communications cloud native core automated test suite 1.9.0
xstream_project xstream 1.4.17
ibm atlas ediscovery process management 6.0.3
ibm tivoli netcool configuration manager 6.4.2
ibm infosphere information server 11.7
ibm watson discovery 2.0.0
ibm watson discovery 2.2.1
ibm spectrum copy data management 2.2.13
ibm security verify governance 10.0
Denotes that component is vulnerable