CVE-2021-39144
HIGHCVSS 8.5/10Actively ExploitedEPSS 98.51%
Last modified
CVE-2021-39144 is a high-severity vulnerability rated 8.5/10 on the CVSS scale. XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stream. CISA has confirmed active exploitation in the wild. EPSS estimates a 98.51% chance of exploitation in the next 30 days.
Description
XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.
Metrics
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
Exploitation Status
This vulnerability is listed in CISA’s Known Exploited Vulnerabilities catalog, confirming active exploitation in the wild. Federal agencies must remediate by .
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Xstream | Xstream | < 1.4.18 |
| Debian | Debian Linux | 9.0 |
| Debian | Debian Linux | 10.0 |
| Debian | Debian Linux | 11.0 |
| Fedoraproject | Fedora | 33 |
| Fedoraproject | Fedora | 34 |
| Fedoraproject | Fedora | 35 |
| Netapp | Snapmanager | All versions |
| Oracle | Business Activity Monitoring | 12.2.1.4.0 |
| Oracle | Commerce Guided Search | 11.3.2 |
| Oracle | Communications Billing And Revenue Management Elastic Charging Engine | 11.3 |
| Oracle | Communications Billing And Revenue Management Elastic Charging Engine | 12.0 |
| Oracle | Communications Cloud Native Core Automated Test Suite | 1.9.0 |
| Oracle | Communications Cloud Native Core Binding Support Function | 1.10.0 |
| Oracle | Communications Cloud Native Core Policy | 1.14.0 |
| Oracle | Communications Unified Inventory Management | 7.3.4 |
| Oracle | Communications Unified Inventory Management | 7.3.5 |
| Oracle | Communications Unified Inventory Management | 7.4.0 |
| Oracle | Communications Unified Inventory Management | 7.4.1 |
| Oracle | Communications Unified Inventory Management | 7.4.2 |
| Oracle | Retail Xstore Point Of Service | 16.0.6 |
| Oracle | Retail Xstore Point Of Service | 17.0.4 |
| Oracle | Retail Xstore Point Of Service | 18.0.3 |
| Oracle | Retail Xstore Point Of Service | 19.0.2 |
| Oracle | Retail Xstore Point Of Service | 20.0.1 |
| Oracle | Utilities Framework | 4.2.0.2.0 |
| Oracle | Utilities Framework | 4.2.0.3.0 |
| Oracle | Utilities Framework | 4.3.0.1.0 |
| Oracle | Utilities Framework | 4.3.0.6.0 |
| Oracle | Utilities Framework | 4.4.0.0.0 |
| Oracle | Utilities Framework | 4.4.0.2.0 |
| Oracle | Utilities Framework | 4.4.0.3.0 |
| Oracle | Utilities Testing Accelerator | 6.0.0.1.1 |
| Oracle | Webcenter Portal | 12.2.1.3.0 |
| Oracle | Webcenter Portal | 12.2.1.4.0 |
References
- http://packetstormsecurity.com/files/169859/VMware-NSX-Manager-XStream-Unauthenticated-Remote-Code-Execution.htmlExploit, Third Party Advisory, VDB Entry
- https://lists.debian.org/debian-lts-announce/2021/09/msg00017.htmlMailing List, Third Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/Broken Link, Mailing List, Release Notes
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/Broken Link, Mailing List, Release Notes
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/Broken Link, Mailing List, Release Notes
- https://security.netapp.com/advisory/ntap-20210923-0003/Third Party Advisory
- https://www.debian.org/security/2021/dsa-5004Third Party Advisory
- https://www.oracle.com/security-alerts/cpuapr2022.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpujan2022.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpujul2022.htmlPatch, Third Party Advisory
- https://x-stream.github.io/CVE-2021-39144.htmlExploit, Vendor Advisory
- http://packetstormsecurity.com/files/169859/VMware-NSX-Manager-XStream-Unauthenticated-Remote-Code-Execution.htmlExploit, Third Party Advisory, VDB Entry
- https://lists.debian.org/debian-lts-announce/2021/09/msg00017.htmlMailing List, Third Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/Broken Link, Mailing List, Release Notes
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/Broken Link, Mailing List, Release Notes
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/Broken Link, Mailing List, Release Notes
- https://security.netapp.com/advisory/ntap-20210923-0003/Third Party Advisory
- https://www.debian.org/security/2021/dsa-5004Third Party Advisory
- https://www.oracle.com/security-alerts/cpuapr2022.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpujan2022.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpujul2022.htmlPatch, Third Party Advisory
- https://x-stream.github.io/CVE-2021-39144.htmlExploit, Vendor Advisory
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-39144US Government Resource
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2021-39144?
XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.
How severe is CVE-2021-39144?
CVE-2021-39144 has a CVSS score of 8.5/10 (HIGH severity). The EPSS model estimates a 98.51% probability of exploitation in the next 30 days. This vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog.
How do I fix CVE-2021-39144?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.
Are you affected by CVE-2021-39144?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST