CVE-2021-39139: XStream is vulnerable to an Arbitrary Code Execution attack
First published: Sun Aug 22 2021(Updated: )
XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. A user is only affected if using the version out of the box with JDK 1.7u21 or below. However, this scenario can be adjusted easily to an external Xalan that works regardless of the version of the Java runtime. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/xstream | <0:1.3.1-16.el7_9 | 0:1.3.1-16.el7_9 |
| debian/libxstream-java | 1.4.11.1-1+deb10u3 1.4.11.1-1+deb10u4 1.4.15-3+deb11u2 1.4.20-1 | |
| redhat/xstream | <1.4.18 | 1.4.18 |
| Xstream Project Xstream | <1.4.18 | |
| Debian Debian Linux | =9.0 | |
| Debian Debian Linux | =10.0 | |
| Debian Debian Linux | =11.0 | |
| Fedoraproject Fedora | =33 | |
| Fedoraproject Fedora | =34 | |
| Fedoraproject Fedora | =35 | |
| Netapp Snapmanager Oracle | ||
| Netapp Snapmanager Sap | ||
| Oracle Business Activity Monitoring | =12.2.1.4.0 | |
| Oracle Commerce Guided Search | =11.3.2 | |
| Oracle Communications Billing And Revenue Management Elastic Charging Engine | =11.3 | |
| Oracle Communications Billing And Revenue Management Elastic Charging Engine | =12.0 | |
| Oracle Communications Cloud Native Core Automated Test Suite | =1.9.0 | |
| Oracle Communications Cloud Native Core Binding Support Function | =1.10.0 | |
| Oracle Communications Cloud Native Core Policy | =1.14.0 | |
| Oracle Communications Unified Inventory Management | =7.3.4 | |
| Oracle Communications Unified Inventory Management | =7.3.5 | |
| Oracle Communications Unified Inventory Management | =7.4.0 | |
| Oracle Communications Unified Inventory Management | =7.4.1 | |
| Oracle Communications Unified Inventory Management | =7.4.2 | |
| Oracle Retail Xstore Point of Service | =16.0.6 | |
| Oracle Retail Xstore Point of Service | =17.0.4 | |
| Oracle Retail Xstore Point of Service | =18.0.3 | |
| Oracle Retail Xstore Point of Service | =19.0.2 | |
| Oracle Retail Xstore Point of Service | =20.0.1 | |
| Oracle Utilities Framework | =4.2.0.2.0 | |
| Oracle Utilities Framework | =4.2.0.3.0 | |
| Oracle Utilities Framework | =4.3.0.1.0 | |
| Oracle Utilities Framework | =4.3.0.6.0 | |
| Oracle Utilities Framework | =4.4.0.0.0 | |
| Oracle Utilities Framework | =4.4.0.2.0 | |
| Oracle Utilities Framework | =4.4.0.3.0 | |
| Oracle Utilities Testing Accelerator | =6.0.0.1.1 | |
| Oracle WebCenter Portal | =12.2.1.3.0 | |
| Oracle WebCenter Portal | =12.2.1.4.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2021-39139 https://nvd.nist.gov/vuln/detail/CVE-2021-39139 https://github.com/x-stream/xstream/security/advisories/GHSA-64xx-cq4q-mf44
- https://bugzilla.redhat.com/show_bug.cgi?id=1997763
- https://access.redhat.com/errata/RHSA-2022:0520
- https://access.redhat.com/errata/RHSA-2021:3956
- https://access.redhat.com/errata/RHSA-2021:4918
- https://access.redhat.com/errata/RHSA-2021:4767
- https://access.redhat.com/errata/RHSA-2022:0297
- https://access.redhat.com/errata/RHSA-2022:0296
- https://access.redhat.com/security/cve/cve-2021-39139
- https://github.com/x-stream/xstream/security/advisories/GHSA-64xx-cq4q-mf44
- https://x-stream.github.io/CVE-2021-39139.html
- https://security-tracker.debian.org/tracker/CVE-2021-39139
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1997764
- https://lists.debian.org/debian-lts-announce/2021/09/msg00017.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/
- https://security.netapp.com/advisory/ntap-20210923-0003/
- https://www.debian.org/security/2021/dsa-5004
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is CVE-2021-39139?
CVE-2021-39139 is a vulnerability in the XStream library that allows a remote attacker to load and execute arbitrary code from a remote host by manipulating the input stream.
How does CVE-2021-39139 impact users?
Users are affected if they are using XStream version 1.3.1-16.el7_9 or version 1.4.18.
What is the severity of CVE-2021-39139?
CVE-2021-39139 has a severity rating of 8.5 (high).
How can I fix CVE-2021-39139?
To fix CVE-2021-39139, users should update XStream to version 1.4.18 or apply the remedy package 0:1.3.1-16.el7_9.
Where can I find more information about CVE-2021-39139?
More information about CVE-2021-39139 can be found at the following references: [CVE-2021-39139](https://www.cve.org/CVERecord?id=CVE-2021-39139), [NVD](https://nvd.nist.gov/vuln/detail/CVE-2021-39139), [GitHub Security Advisory](https://github.com/x-stream/xstream/security/advisories/GHSA-64xx-cq4q-mf44), [Red Hat Bugzilla](https://bugzilla.redhat.com/show_bug.cgi?id=1997763), [Red Hat Advisory](https://access.redhat.com/errata/RHSA-2022:0520).
- collector/redhat-cve
- collector/security-tracker-debian
- agent/type
- agent/first-publish-date
- agent/weakness
- agent/author
- agent/severity
- agent/remedy
- agent/description
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2021-39139
- agent/software-canonical-lookup
- collector/nvd-index
- agent/software-canonical-lookup-request
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/title
- agent/last-modified-date
- agent/references
- agent/tags
- agent/event
- package-manager/redhat
- package-manager/debian
- vendor/xstream project
- canonical/xstream project xstream
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/9.0
- version/debian debian linux/10.0
- version/debian debian linux/11.0
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/33
- version/fedoraproject fedora/34
- version/fedoraproject fedora/35
- vendor/netapp
- canonical/netapp snapmanager oracle
- canonical/netapp snapmanager sap
- vendor/oracle
- canonical/oracle business activity monitoring
- version/oracle business activity monitoring/12.2.1.4.0
- canonical/oracle commerce guided search
- version/oracle commerce guided search/11.3.2
- canonical/oracle communications billing and revenue management elastic charging engine
- version/oracle communications billing and revenue management elastic charging engine/11.3
- version/oracle communications billing and revenue management elastic charging engine/12.0
- canonical/oracle communications cloud native core automated test suite
- version/oracle communications cloud native core automated test suite/1.9.0
- canonical/oracle communications cloud native core binding support function
- version/oracle communications cloud native core binding support function/1.10.0
- canonical/oracle communications cloud native core policy
- version/oracle communications cloud native core policy/1.14.0
- canonical/oracle communications unified inventory management
- version/oracle communications unified inventory management/7.3.4
- version/oracle communications unified inventory management/7.3.5
- version/oracle communications unified inventory management/7.4.0
- version/oracle communications unified inventory management/7.4.1
- version/oracle communications unified inventory management/7.4.2
- canonical/oracle retail xstore point of service
- version/oracle retail xstore point of service/16.0.6
- version/oracle retail xstore point of service/17.0.4
- version/oracle retail xstore point of service/18.0.3
- version/oracle retail xstore point of service/19.0.2
- version/oracle retail xstore point of service/20.0.1
- canonical/oracle utilities framework
- version/oracle utilities framework/4.2.0.2.0
- version/oracle utilities framework/4.2.0.3.0
- version/oracle utilities framework/4.3.0.1.0
- version/oracle utilities framework/4.3.0.6.0
- version/oracle utilities framework/4.4.0.0.0
- version/oracle utilities framework/4.4.0.2.0
- version/oracle utilities framework/4.4.0.3.0
- canonical/oracle utilities testing accelerator
- version/oracle utilities testing accelerator/6.0.0.1.1
- canonical/oracle webcenter portal
- version/oracle webcenter portal/12.2.1.3.0
- version/oracle webcenter portal/12.2.1.4.0