CVE-2021-21349
HIGHCVSS 8.6/10EPSS 47.75%
Last modified
CVE-2021-21349 is a high-severity vulnerability rated 8.6/10 on the CVSS scale. XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream. EPSS estimates a 47.75% chance of exploitation in the next 30 days.
Description
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Netapp | Oncommand Insight | All versions |
| Apache | Activemq | < 5.15.14 |
| Apache | Activemq | 5.16.0 |
| Apache | Activemq | 5.16.1 |
| Apache | Jmeter | < 5.5 |
| Xstream | Xstream | < 1.4.16 |
| Debian | Debian Linux | 9.0 |
| Debian | Debian Linux | 10.0 |
| Debian | Debian Linux | 11.0 |
| Fedoraproject | Fedora | 33 |
| Fedoraproject | Fedora | 34 |
| Fedoraproject | Fedora | 35 |
| Oracle | Banking Enterprise Default Management | 2.10.0 |
| Oracle | Banking Enterprise Default Management | 2.12.0 |
| Oracle | Banking Platform | 2.4.0 |
| Oracle | Banking Platform | 2.7.1 |
| Oracle | Banking Platform | 2.9.0 |
| Oracle | Banking Platform | 2.12.0 |
| Oracle | Banking Virtual Account Management | 14.2.0 |
| Oracle | Banking Virtual Account Management | 14.3.0 |
| Oracle | Banking Virtual Account Management | 14.5.0 |
| Oracle | Business Activity Monitoring | 11.1.1.9.0 |
| Oracle | Business Activity Monitoring | 12.2.1.3.0 |
| Oracle | Business Activity Monitoring | 12.2.1.4.0 |
| Oracle | Communications Billing And Revenue Management Elastic Charging Engine | 12.0.0.3.0 |
| Oracle | Communications Policy Management | 12.5.0 |
| Oracle | Communications Unified Inventory Management | 7.3.2 |
| Oracle | Communications Unified Inventory Management | 7.3.4 |
| Oracle | Communications Unified Inventory Management | 7.3.5 |
| Oracle | Communications Unified Inventory Management | 7.4.0 |
| Oracle | Communications Unified Inventory Management | 7.4.1 |
| Oracle | Graalvm | 20.3.4 |
| Oracle | Graalvm | 21.3.0 |
| Oracle | Java Se | 7u321 |
| Oracle | Java Se | 8u311 |
| Oracle | Retail Xstore Point Of Service | 16.0.6 |
| Oracle | Retail Xstore Point Of Service | 17.0.4 |
| Oracle | Retail Xstore Point Of Service | 18.0.3 |
| Oracle | Retail Xstore Point Of Service | 19.0.2 |
| Oracle | Webcenter Portal | 11.1.1.9.0 |
| Oracle | Webcenter Portal | 12.2.1.3.0 |
| Oracle | Webcenter Portal | 12.2.1.4.0 |
References
- http://x-stream.github.io/changes.html#1.4.16Release Notes, Third Party Advisory
- https://github.com/x-stream/xstream/security/advisories/GHSA-f6hm-88x3-mfjvThird Party Advisory
- https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd%40%3Cusers.activemq.apache.org%3EIssue Tracking, Mailing List, Third Party Advisory
- https://lists.apache.org/thread.html/r9ac71b047767205aa22e3a08cb33f3e0586de6b2fac48b425c6e16b0%40%3Cdev.jmeter.apache.org%3EIssue Tracking, Mailing List, Third Party Advisory
- https://lists.debian.org/debian-lts-announce/2021/04/msg00002.htmlMailing List, Third Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/Mailing List, Third Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/Mailing List, Third Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/Mailing List, Third Party Advisory
- https://security.netapp.com/advisory/ntap-20210430-0002/Third Party Advisory
- https://www.debian.org/security/2021/dsa-5004Mailing List, Third Party Advisory
- https://www.oracle.com//security-alerts/cpujul2021.htmlThird Party Advisory
- https://www.oracle.com/security-alerts/cpujan2022.htmlPatch, Vendor Advisory
- https://www.oracle.com/security-alerts/cpuoct2021.htmlThird Party Advisory
- https://x-stream.github.io/CVE-2021-21349.htmlExploit, Third Party Advisory
- https://x-stream.github.io/security.html#workaroundMitigation, Third Party Advisory
- http://x-stream.github.io/changes.html#1.4.16Release Notes, Third Party Advisory
- https://github.com/x-stream/xstream/security/advisories/GHSA-f6hm-88x3-mfjvThird Party Advisory
- https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd%40%3Cusers.activemq.apache.org%3EIssue Tracking, Mailing List, Third Party Advisory
- https://lists.apache.org/thread.html/r9ac71b047767205aa22e3a08cb33f3e0586de6b2fac48b425c6e16b0%40%3Cdev.jmeter.apache.org%3EIssue Tracking, Mailing List, Third Party Advisory
- https://lists.debian.org/debian-lts-announce/2021/04/msg00002.htmlMailing List, Third Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/Mailing List, Third Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/Mailing List, Third Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/Mailing List, Third Party Advisory
- https://security.netapp.com/advisory/ntap-20210430-0002/Third Party Advisory
- https://www.debian.org/security/2021/dsa-5004Mailing List, Third Party Advisory
- https://www.oracle.com//security-alerts/cpujul2021.htmlThird Party Advisory
- https://www.oracle.com/security-alerts/cpujan2022.htmlPatch, Vendor Advisory
- https://www.oracle.com/security-alerts/cpuoct2021.htmlThird Party Advisory
- https://x-stream.github.io/CVE-2021-21349.htmlExploit, Third Party Advisory
- https://x-stream.github.io/security.html#workaroundMitigation, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2021-21349?
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.
How severe is CVE-2021-21349?
CVE-2021-21349 has a CVSS score of 8.6/10 (HIGH severity). The EPSS model estimates a 47.75% probability of exploitation in the next 30 days.
How do I fix CVE-2021-21349?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.
Are you affected by CVE-2021-21349?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST