First published: Sun Aug 22 2021(Updated: )
XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.
Credit: security-advisories@github.com
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/xstream | <0:1.3.1-16.el7_9 | 0:1.3.1-16.el7_9 |
debian/libxstream-java | 1.4.11.1-1+deb10u3 1.4.11.1-1+deb10u4 1.4.15-3+deb11u2 1.4.20-1 | |
redhat/xstream | <1.4.18 | 1.4.18 |
Xstream Project Xstream | <1.4.18 | |
Fedoraproject Fedora | =33 | |
Fedoraproject Fedora | =34 | |
Fedoraproject Fedora | =35 | |
Debian Debian Linux | =9.0 | |
Debian Debian Linux | =10.0 | |
Debian Debian Linux | =11.0 | |
Netapp Snapmanager Oracle | ||
Netapp Snapmanager Sap | ||
Oracle Business Activity Monitoring | =12.2.1.4.0 | |
Oracle Commerce Guided Search | =11.3.2 | |
Oracle Communications Billing And Revenue Management Elastic Charging Engine | =11.3 | |
Oracle Communications Billing And Revenue Management Elastic Charging Engine | =12.0 | |
Oracle Communications Cloud Native Core Automated Test Suite | =1.9.0 | |
Oracle Communications Cloud Native Core Binding Support Function | =1.10.0 | |
Oracle Communications Cloud Native Core Policy | =1.14.0 | |
Oracle Communications Unified Inventory Management | =7.3.4 | |
Oracle Communications Unified Inventory Management | =7.3.5 | |
Oracle Communications Unified Inventory Management | =7.4.0 | |
Oracle Communications Unified Inventory Management | =7.4.1 | |
Oracle Communications Unified Inventory Management | =7.4.2 | |
Oracle Retail Xstore Point of Service | =16.0.6 | |
Oracle Retail Xstore Point of Service | =17.0.4 | |
Oracle Retail Xstore Point of Service | =18.0.3 | |
Oracle Retail Xstore Point of Service | =19.0.2 | |
Oracle Retail Xstore Point of Service | =20.0.1 | |
Oracle Utilities Framework | =4.2.0.2.0 | |
Oracle Utilities Framework | =4.2.0.3.0 | |
Oracle Utilities Framework | =4.3.0.1.0 | |
Oracle Utilities Framework | =4.3.0.6.0 | |
Oracle Utilities Framework | =4.4.0.0.0 | |
Oracle Utilities Framework | =4.4.0.2.0 | |
Oracle Utilities Framework | =4.4.0.3.0 | |
Oracle Utilities Testing Accelerator | =6.0.0.1.1 | |
Oracle WebCenter Portal | =12.2.1.3.0 | |
Oracle WebCenter Portal | =12.2.1.4.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
(Appears in the following advisories)
CVE-2021-39148 is a vulnerability in the xstream library that allows a remote attacker to execute arbitrary code by manipulating the input stream.
The severity of CVE-2021-39148 is high, with a CVSS score of 8.5.
The affected software versions include xstream 1.4.18, xstream 0:1.3.1-16.el7_9, and other specific versions listed in the vulnerability description.
To fix CVE-2021-39148, it is recommended to upgrade to xstream version 1.4.18 or apply the specified patches provided by the software vendors.
You can find more information about CVE-2021-39148 in the references provided: [GitHub Advisory](https://github.com/x-stream/xstream/security/advisories/GHSA-qrx8-8545-4wg2), [CVE-2021-39148 Information](https://x-stream.github.io/CVE-2021-39148.html), [Red Hat Bugzilla](https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1997782).