Vulnerability Name:

CVE-2021-39153 (CCN-208121)

Assigned:2021-08-22
Published:2021-08-22
Updated:2022-10-05
Summary:XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream, if using the version out of the box with Java runtime version 14 to 8 or with JavaFX installed. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.
CVSS v3 Severity:8.5 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H)
7.4 High (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): Low
User Interaction (UI): None
Scope:Scope (S): Changed
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): High
8.5 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H)
7.4 High (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): Low
User Interaction (UI): None
Scope:Scope (S): Changed
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): High
8.5 High (REDHAT CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H)
7.4 High (REDHAT Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): Low
User Interaction (UI): None
Scope:Scope (S): Changed
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): High
CVSS v2 Severity:6.0 Medium (CVSS v2 Vector: AV:N/AC:M/Au:S/C:P/I:P/A:P)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
7.1 High (CCN CVSS v2 Vector: AV:N/AC:H/Au:S/C:C/I:C/A:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): High
Athentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): Complete
Vulnerability Type:CWE-502
CWE-434
Vulnerability Consequences:Gain Access
References:Source: MITRE
Type: CNA
CVE-2021-39153

Source: XF
Type: UNKNOWN
xstream-cve202139153-code-exec(208121)

Source: CONFIRM
Type: Third Party Advisory
https://github.com/x-stream/xstream/security/advisories/GHSA-2q8x-2p7f-574v

Source: MLIST
Type: Mailing List, Third Party Advisory
[debian-lts-announce] 20210929 [SECURITY] [DLA 2769-1] libxstream-java security update

Source: FEDORA
Type: Mailing List, Third Party Advisory
FEDORA-2021-fbad11014a

Source: FEDORA
Type: Mailing List, Third Party Advisory
FEDORA-2021-5e376c0ed9

Source: FEDORA
Type: Mailing List, Third Party Advisory
FEDORA-2021-d894ca87dc

Source: CONFIRM
Type: Third Party Advisory
https://security.netapp.com/advisory/ntap-20210923-0003/

Source: DEBIAN
Type: Third Party Advisory
DSA-5004

Source: CCN
Type: IBM Security Bulletin 6492209 (Watson Discovery)
IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in XStream

Source: CCN
Type: IBM Security Bulletin 6525066 (Spectrum Protect Plus)
Vulnerabilities in XStream affect IBM Spectrum Protect Plus

Source: CCN
Type: IBM Security Bulletin 6525260 (Spectrum Copy Data Management)
Vulnerabilities in XStream affect IBM Spectrum Copy Data Management

Source: CCN
Type: IBM Security Bulletin 6570915 (Data Risk Manager)
IBM Data Risk Manager is affected by multiple vulnerabilities including a remote code execution in Spring Framework (CVE-2022-22965)

Source: CCN
Type: IBM Security Bulletin 6575535 (InfoSphere Information Server)
IBM InfoSphere Information Server is affected by multiple vulnerabilities in XStream

Source: CCN
Type: IBM Security Bulletin 6590209 (Spectrum Control)
IBM Spectrum Control is vulnerable to multiple weaknesses related to XStream, Apache Xerces2, Jackson, OpenSSL, and Java SE

Source: CCN
Type: IBM Security Bulletin 6841035 (Security Verify Governance)
IBM Security Verify Governance is vulnerable to multiple security threats due to use of XStream

Source: CCN
Type: IBM Security Bulletin 6857277 (Tivoli Netcool Configuration Manager)
Due to use of XStream, IBM Tivoli Netcool Configuration Manager is vulnerable to arbitrary code execution attack

Source: CCN
Type: IBM Security Bulletin 6988899 (Atlas eDiscovery Process Management)
Atlas eDiscovery Process Management is affected by a vulnerable xstream-1.4.17.jar

Source: CCN
Type: Oracle CPUApr2022
Oracle Critical Patch Update Advisory - April 2022

Source: MISC
Type: Patch, Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html

Source: CCN
Type: Oracle CPUJan2022
Oracle Critical Patch Update Advisory - January 2022

Source: MISC
Type: Patch, Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.html

Source: N/A
Type: Third Party Advisory
N/A

Source: CCN
Type: XStream GIT Repository
CVE-2021-39153: XStream is vulnerable to an Arbitrary Code Execution attack

Source: MISC
Type: Exploit, Third Party Advisory
https://x-stream.github.io/CVE-2021-39153.html

Vulnerable Configuration:Configuration 1:
  • cpe:/a:xstream_project:xstream:*:*:*:*:*:*:*:* (Version < 1.4.18)

  • Configuration 2:
  • cpe:/o:fedoraproject:fedora:33:*:*:*:*:*:*:*
  • OR cpe:/o:fedoraproject:fedora:34:*:*:*:*:*:*:*
  • OR cpe:/o:fedoraproject:fedora:35:*:*:*:*:*:*:*

  • Configuration 3:
  • cpe:/o:debian:debian_linux:9.0:*:*:*:*:*:*:*
  • OR cpe:/o:debian:debian_linux:10.0:*:*:*:*:*:*:*
  • OR cpe:/o:debian:debian_linux:11.0:*:*:*:*:*:*:*

  • Configuration 4:
  • cpe:/a:netapp:snapmanager:-:*:*:*:*:oracle:*:*
  • OR cpe:/a:netapp:snapmanager:-:*:*:*:*:sap:*:*

  • Configuration 5:
  • cpe:/a:oracle:webcenter_portal:12.2.1.3.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:utilities_framework:4.2.0.3.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:utilities_framework:4.2.0.2.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:utilities_framework:4.3.0.6.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:utilities_framework:4.4.0.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:communications_unified_inventory_management:7.3.4:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:communications_unified_inventory_management:7.3.5:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:communications_unified_inventory_management:7.4.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:webcenter_portal:12.2.1.4.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:utilities_framework:4.4.0.2.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:communications_billing_and_revenue_management_elastic_charging_engine:11.3:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:communications_billing_and_revenue_management_elastic_charging_engine:12.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:business_activity_monitoring:12.2.1.4.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:communications_unified_inventory_management:7.4.1:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:utilities_framework:4.4.0.3.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:utilities_testing_accelerator:6.0.0.1.1:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:communications_cloud_native_core_binding_support_function:1.10.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:utilities_framework:4.3.0.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:communications_cloud_native_core_policy:1.14.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:communications_unified_inventory_management:7.4.2:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:communications_cloud_native_core_automated_test_suite:1.9.0:*:*:*:*:*:*:*

  • Configuration RedHat 1:
  • cpe:/o:redhat:enterprise_linux:7:*:*:*:*:*:*:*

  • Configuration RedHat 2:
  • cpe:/o:redhat:enterprise_linux:7::client:*:*:*:*:*

  • Configuration RedHat 3:
  • cpe:/o:redhat:enterprise_linux:7::computenode:*:*:*:*:*

  • Configuration RedHat 4:
  • cpe:/o:redhat:enterprise_linux:7::server:*:*:*:*:*

  • Configuration RedHat 5:
  • cpe:/o:redhat:enterprise_linux:7::workstation:*:*:*:*:*

  • Configuration CCN 1:
  • cpe:/a:xstream_project:xstream:1.4.17:*:*:*:*:*:*:*
  • AND
  • cpe:/a:ibm:atlas_ediscovery_process_management:6.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:tivoli_netcool_configuration_manager:6.4.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:infosphere_information_server:11.7:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:watson_discovery:2.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:watson_discovery:2.2.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:spectrum_copy_data_management:2.2.13:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_verify_governance:10.0:*:*:*:*:*:*:*

  • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:8073
    P
    xstream-1.4.20-150200.3.25.1 on GA media (Moderate)
    2023-06-20
    oval:org.opensuse.security:def:95413
    P
    Security update for haproxy (Moderate)
    2022-07-06
    oval:org.opensuse.security:def:3432
    P
    apache2-mod_jk-1.2.40-7.3.1 on GA media (Moderate)
    2022-06-28
    oval:org.opensuse.security:def:94921
    P
    libQt5OpenGLExtensions-devel-static-5.15.2+kde294-150400.4.8 on GA media (Moderate)
    2022-06-22
    oval:org.opensuse.security:def:95062
    P
    xstream-1.4.19-3.18.2 on GA media (Moderate)
    2022-06-22
    oval:org.opensuse.security:def:4581
    P
    Security update for the Linux Kernel (Live Patch 22 for SLE 12 SP5) (Important)
    2022-04-23
    oval:org.opensuse.security:def:6206
    P
    Security update for xen (Important)
    2022-03-23
    oval:org.opensuse.security:def:102126
    P
    Security update for the Linux Kernel (Important)
    2022-03-08
    oval:org.opensuse.security:def:101634
    P
    Security update for strongswan (Important)
    2022-02-18
    oval:org.opensuse.security:def:113607
    P
    xstream-1.4.18-1.1 on GA media (Moderate)
    2022-01-17
    oval:org.opensuse.security:def:4512
    P
    Security update for the Linux Kernel (Live Patch 16 for SLE 12 SP5) (Important)
    2021-11-17
    oval:org.opensuse.security:def:111101
    P
    Security update for xstream (Important)
    2021-10-31
    oval:com.redhat.rhsa:def:20213956
    P
    RHSA-2021:3956: xstream security update (Important)
    2021-10-25
    oval:org.opensuse.security:def:95984
    P
    Security update for xstream (Important)
    2021-10-20
    oval:org.opensuse.security:def:76363
    P
    Security update for xstream (Important)
    2021-10-20
    oval:org.opensuse.security:def:94190
    P
    (Important)
    2021-10-20
    oval:org.opensuse.security:def:100338
    P
    (Important)
    2021-10-20
    oval:org.opensuse.security:def:67295
    P
    Security update for xstream (Important)
    2021-10-20
    oval:org.opensuse.security:def:74669
    P
    Security update for xstream (Important)
    2021-10-20
    oval:org.opensuse.security:def:65601
    P
    Security update for xstream (Important)
    2021-10-20
    oval:org.opensuse.security:def:94401
    P
    (Important)
    2021-10-20
    oval:org.opensuse.security:def:100667
    P
    (Important)
    2021-10-20
    oval:org.opensuse.security:def:74738
    P
    Security update for xstream (Important)
    2021-10-20
    oval:org.opensuse.security:def:108300
    P
    Security update for xstream (Important)
    2021-10-20
    oval:org.opensuse.security:def:93764
    P
    (Important)
    2021-10-20
    oval:org.opensuse.security:def:65670
    P
    Security update for xstream (Important)
    2021-10-20
    oval:org.opensuse.security:def:5865
    P
    Security update for xstream (Important)
    2021-10-20
    oval:org.opensuse.security:def:101808
    P
    Security update for xstream (Important)
    2021-10-20
    oval:org.opensuse.security:def:76022
    P
    Security update for xstream (Important)
    2021-10-20
    oval:org.opensuse.security:def:108792
    P
    Security update for xstream (Important)
    2021-10-20
    oval:org.opensuse.security:def:93978
    P
    (Important)
    2021-10-20
    oval:org.opensuse.security:def:100002
    P
    (Important)
    2021-10-20
    oval:org.opensuse.security:def:66954
    P
    Security update for xstream (Important)
    2021-10-20
    oval:org.opensuse.security:def:111754
    P
    Security update for xstream (Important)
    2021-10-20
    oval:org.opensuse.security:def:117814
    P
    Security update for xstream (Important)
    2021-10-20
    oval:org.opensuse.security:def:1130
    P
    Security update for xstream (Important)
    2021-10-20
    oval:org.opensuse.security:def:106990
    P
    xstream-1.4.18-1.1 on GA media (Moderate)
    2021-10-01
    BACK
    xstream_project xstream *
    fedoraproject fedora 33
    fedoraproject fedora 34
    fedoraproject fedora 35
    debian debian linux 9.0
    debian debian linux 10.0
    debian debian linux 11.0
    netapp snapmanager -
    netapp snapmanager -
    oracle webcenter portal 12.2.1.3.0
    oracle utilities framework 4.2.0.3.0
    oracle utilities framework 4.2.0.2.0
    oracle utilities framework 4.3.0.6.0
    oracle utilities framework 4.4.0.0.0
    oracle communications unified inventory management 7.3.4
    oracle communications unified inventory management 7.3.5
    oracle communications unified inventory management 7.4.0
    oracle webcenter portal 12.2.1.4.0
    oracle utilities framework 4.4.0.2.0
    oracle communications billing and revenue management elastic charging engine 11.3
    oracle communications billing and revenue management elastic charging engine 12.0
    oracle business activity monitoring 12.2.1.4.0
    oracle communications unified inventory management 7.4.1
    oracle utilities framework 4.4.0.3.0
    oracle utilities testing accelerator 6.0.0.1.1
    oracle communications cloud native core binding support function 1.10.0
    oracle utilities framework 4.3.0.1.0
    oracle communications cloud native core policy 1.14.0
    oracle communications unified inventory management 7.4.2
    oracle communications cloud native core automated test suite 1.9.0
    xstream_project xstream 1.4.17
    ibm atlas ediscovery process management 6.0.3
    ibm tivoli netcool configuration manager 6.4.2
    ibm infosphere information server 11.7
    ibm watson discovery 2.0.0
    ibm watson discovery 2.2.1
    ibm spectrum copy data management 2.2.13
    ibm security verify governance 10.0