CVE-2021-21342
CRITICALCVSS 9.1/10EPSS 50.14%
Last modified
CVE-2021-21342 is a critical-severity vulnerability rated 9.1/10 on the CVSS scale. XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability where the processed stream at unmarshalling time contains type information to recreate the formerly written objects. EPSS estimates a 50.14% chance of exploitation in the next 30 days.
Description
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability where the processed stream at unmarshalling time contains type information to recreate the formerly written objects. XStream creates therefore new instances based on these type information. An attacker can manipulate the processed input stream and replace or inject objects, that result in a server-side forgery request. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Netapp | Oncommand Insight | All versions |
| Apache | Activemq | < 5.15.14 |
| Apache | Activemq | 5.16.0 |
| Apache | Activemq | 5.16.1 |
| Apache | Jmeter | < 5.5 |
| Xstream | Xstream | < 1.4.16 |
| Debian | Debian Linux | 9.0 |
| Debian | Debian Linux | 10.0 |
| Debian | Debian Linux | 11.0 |
| Fedoraproject | Fedora | 33 |
| Fedoraproject | Fedora | 34 |
| Fedoraproject | Fedora | 35 |
| Oracle | Banking Enterprise Default Management | 2.10.0 |
| Oracle | Banking Enterprise Default Management | 2.12.0 |
| Oracle | Banking Platform | 2.4.0 |
| Oracle | Banking Platform | 2.7.1 |
| Oracle | Banking Platform | 2.9.0 |
| Oracle | Banking Platform | 2.12.0 |
| Oracle | Banking Virtual Account Management | 14.2.0 |
| Oracle | Banking Virtual Account Management | 14.3.0 |
| Oracle | Banking Virtual Account Management | 14.5.0 |
| Oracle | Business Activity Monitoring | 11.1.1.9.0 |
| Oracle | Business Activity Monitoring | 12.2.1.3.0 |
| Oracle | Business Activity Monitoring | 12.2.1.4.0 |
| Oracle | Communications Brm - Elastic Charging Engine | 12.0.0.3 |
| Oracle | Communications Policy Management | 12.5.0 |
| Oracle | Communications Unified Inventory Management | 7.3.2 |
| Oracle | Communications Unified Inventory Management | 7.3.4 |
| Oracle | Communications Unified Inventory Management | 7.3.5 |
| Oracle | Communications Unified Inventory Management | 7.4.0 |
| Oracle | Communications Unified Inventory Management | 7.4.1 |
| Oracle | Retail Xstore Point Of Service | 16.0.6 |
| Oracle | Retail Xstore Point Of Service | 17.0.4 |
| Oracle | Retail Xstore Point Of Service | 18.0.3 |
| Oracle | Retail Xstore Point Of Service | 19.0.2 |
| Oracle | Webcenter Portal | 11.1.1.9.0 |
| Oracle | Webcenter Portal | 12.2.1.3.0 |
| Oracle | Webcenter Portal | 12.2.1.4.0 |
References
- http://x-stream.github.io/changes.html#1.4.16Release Notes, Third Party Advisory
- https://github.com/x-stream/xstream/security/advisories/GHSA-hvv8-336g-rx3mThird Party Advisory
- https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd%40%3Cusers.activemq.apache.org%3EIssue Tracking, Mailing List, Third Party Advisory
- https://lists.apache.org/thread.html/r9ac71b047767205aa22e3a08cb33f3e0586de6b2fac48b425c6e16b0%40%3Cdev.jmeter.apache.org%3EIssue Tracking, Mailing List, Third Party Advisory
- https://lists.debian.org/debian-lts-announce/2021/04/msg00002.htmlMailing List, Third Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/Mailing List, Third Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/Mailing List, Third Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/Mailing List, Third Party Advisory
- https://security.netapp.com/advisory/ntap-20210430-0002/Third Party Advisory
- https://www.debian.org/security/2021/dsa-5004Mailing List, Third Party Advisory
- https://www.oracle.com//security-alerts/cpujul2021.htmlThird Party Advisory
- https://www.oracle.com/security-alerts/cpujan2022.htmlNot Applicable, Patch, Vendor Advisory
- https://www.oracle.com/security-alerts/cpuoct2021.htmlThird Party Advisory
- https://x-stream.github.io/CVE-2021-21342.htmlExploit, Third Party Advisory
- https://x-stream.github.io/security.html#workaroundMitigation, Third Party Advisory
- http://x-stream.github.io/changes.html#1.4.16Release Notes, Third Party Advisory
- https://github.com/x-stream/xstream/security/advisories/GHSA-hvv8-336g-rx3mThird Party Advisory
- https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd%40%3Cusers.activemq.apache.org%3EIssue Tracking, Mailing List, Third Party Advisory
- https://lists.apache.org/thread.html/r9ac71b047767205aa22e3a08cb33f3e0586de6b2fac48b425c6e16b0%40%3Cdev.jmeter.apache.org%3EIssue Tracking, Mailing List, Third Party Advisory
- https://lists.debian.org/debian-lts-announce/2021/04/msg00002.htmlMailing List, Third Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/Mailing List, Third Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/Mailing List, Third Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/Mailing List, Third Party Advisory
- https://security.netapp.com/advisory/ntap-20210430-0002/Third Party Advisory
- https://www.debian.org/security/2021/dsa-5004Mailing List, Third Party Advisory
- https://www.oracle.com//security-alerts/cpujul2021.htmlThird Party Advisory
- https://www.oracle.com/security-alerts/cpujan2022.htmlNot Applicable, Patch, Vendor Advisory
- https://www.oracle.com/security-alerts/cpuoct2021.htmlThird Party Advisory
- https://x-stream.github.io/CVE-2021-21342.htmlExploit, Third Party Advisory
- https://x-stream.github.io/security.html#workaroundMitigation, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2021-21342?
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability where the processed stream at unmarshalling time contains type information to recreate the formerly written objects. XStream creates therefore new instances based on these type information. An attacker can manipulate the processed input stream and replace or inject objects, that result in a server-side forgery request. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.
How severe is CVE-2021-21342?
CVE-2021-21342 has a CVSS score of 9.1/10 (CRITICAL severity). The EPSS model estimates a 50.14% probability of exploitation in the next 30 days.
How do I fix CVE-2021-21342?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.
Are you affected by CVE-2021-21342?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST