CVE-2021-21345

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker who has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.

CVSS v3 9.9 CRITICAL
CVSS v2.0 6.5 MEDIUM

9.9^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.1 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

6.5^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:L/Au:S/C:P/I:P/A:P

Exploitability : 8.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
http://x-stream.github.io/changes.html#1.4.16	Release Notes Third Party Advisory
https://github.com/x-stream/xstream/security/advisories/GHSA-hwpc-8xqv-jvj4	Third Party Advisory
https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd%40%3Cusers.activemq.apache.org%3E
https://lists.apache.org/thread.html/r9ac71b047767205aa22e3a08cb33f3e0586de6b2fac48b425c6e16b0%40%3Cdev.jmeter.apache.org%3E
https://lists.debian.org/debian-lts-announce/2021/04/msg00002.html	Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/
https://security.netapp.com/advisory/ntap-20210430-0002/	Third Party Advisory
https://www.debian.org/security/2021/dsa-5004	Third Party Advisory
https://www.oracle.com//security-alerts/cpujul2021.html	Third Party Advisory
https://www.oracle.com/security-alerts/cpuApr2021.html	Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.html	Patch Vendor Advisory
https://www.oracle.com/security-alerts/cpuoct2021.html	Third Party Advisory
https://x-stream.github.io/CVE-2021-21345.html	Exploit Third Party Advisory
https://x-stream.github.io/security.html#workaround	Mitigation Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:xstream_project:xstream:*:*:*:*:*:*:*:*

Configuration 2 (hide)

OR	cpe:2.3:o:debian:debian_linux:9.0:::::::*
	cpe:2.3:o:debian:debian_linux:10.0:::::::*
	cpe:2.3:o:debian:debian_linux:11.0:::::::*

Configuration 3 (hide)

OR	cpe:2.3:o:fedoraproject:fedora:33:::::::*
	cpe:2.3:o:fedoraproject:fedora:34:::::::*
	cpe:2.3:o:fedoraproject:fedora:35:::::::*

Configuration 4 (hide)

OR	cpe:2.3:a:oracle:banking_enterprise_default_management:2.10.0:::::::*
	cpe:2.3:a:oracle:banking_enterprise_default_management:2.12.0:::::::*
	cpe:2.3:a:oracle:banking_platform:2.4.0:::::::*
	cpe:2.3:a:oracle:banking_platform:2.7.1:::::::*
	cpe:2.3:a:oracle:banking_platform:2.9.0:::::::*
	cpe:2.3:a:oracle:banking_platform:2.12.0:::::::*
	cpe:2.3:a:oracle:banking_virtual_account_management:14.2.0:::::::*
	cpe:2.3:a:oracle:banking_virtual_account_management:14.3.0:::::::*
	cpe:2.3:a:oracle:banking_virtual_account_management:14.5.0:::::::*
	cpe:2.3:a:oracle:business_activity_monitoring:11.1.1.9.0:::::::*
	cpe:2.3:a:oracle:business_activity_monitoring:12.2.1.3.0:::::::*
	cpe:2.3:a:oracle:business_activity_monitoring:12.2.1.4.0:::::::*
	cpe:2.3:a:oracle:communications_billing_and_revenue_management_elastic_charging_engine:12.0.0.3.0:::::::*
	cpe:2.3:a:oracle:communications_policy_management:12.5.0:::::::*
	cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.2:::::::*
	cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.4:::::::*
	cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.5:::::::*
	cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.0:::::::*
	cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.1:::::::*
	cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:::::::*
	cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.59:::::::*
	cpe:2.3:a:oracle:retail_xstore_point_of_service:16.0.6:::::::*
	cpe:2.3:a:oracle:retail_xstore_point_of_service:17.0.4:::::::*
	cpe:2.3:a:oracle:retail_xstore_point_of_service:18.0.3:::::::*
	cpe:2.3:a:oracle:retail_xstore_point_of_service:19.0.2:::::::*
	cpe:2.3:a:oracle:webcenter_portal:11.1.1.9.0:::::::*
	cpe:2.3:a:oracle:webcenter_portal:12.2.1.3.0:::::::*
	cpe:2.3:a:oracle:webcenter_portal:12.2.1.4.0:::::::*

History

07 Nov 2023, 03:29

Type	Values Removed	Values Added
References	{'url': 'https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/', 'name': 'FEDORA-2021-5e376c0ed9', 'tags': ['Mailing List', 'Third Party Advisory'], 'refsource': 'FEDORA'} {'url': 'https://lists.apache.org/thread.html/r9ac71b047767205aa22e3a08cb33f3e0586de6b2fac48b425c6e16b0@%3Cdev.jmeter.apache.org%3E', 'name': '[jmeter-dev] 20210406 [GitHub] [jmeter] sseide opened a new pull request #655: update x-stream to 1.4.16 (from 1.4.15)', 'tags': ['Mailing List', 'Third Party Advisory'], 'refsource': 'MLIST'} {'url': 'https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd@%3Cusers.activemq.apache.org%3E', 'name': '[activemq-users] 20210427 Release date for ActiveMQ v5.16.2 to fix CVEs', 'tags': ['Mailing List', 'Third Party Advisory'], 'refsource': 'MLIST'} {'url': 'https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/', 'name': 'FEDORA-2021-d894ca87dc', 'tags': ['Mailing List', 'Third Party Advisory'], 'refsource': 'FEDORA'} {'url': 'https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/', 'name': 'FEDORA-2021-fbad11014a', 'tags': ['Mailing List', 'Third Party Advisory'], 'refsource': 'FEDORA'}	() https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/ - () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/ - () https://lists.apache.org/thread.html/r9ac71b047767205aa22e3a08cb33f3e0586de6b2fac48b425c6e16b0%40%3Cdev.jmeter.apache.org%3E - () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/ - () https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd%40%3Cusers.activemq.apache.org%3E -

21 Oct 2022, 22:41

Type	Values Removed	Values Added
CWE	CWE-94 CWE-502	CWE-78

16 Feb 2022, 14:55

Type	Values Removed	Values Added
First Time		Oracle peoplesoft Enterprise Peopletools
References	~~(MISC) https://www.oracle.com/security-alerts/cpujan2022.html -~~	(MISC) https://www.oracle.com/security-alerts/cpujan2022.html - Patch, Vendor Advisory
CPE		cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.59:::::::* cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:::::::*

07 Feb 2022, 16:15

Type	Values Removed	Values Added
References		(MISC) https://www.oracle.com/security-alerts/cpujan2022.html -

30 Nov 2021, 22:08

Type	Values Removed	Values Added
References	~~(DEBIAN) https://www.debian.org/security/2021/dsa-5004 -~~	(DEBIAN) https://www.debian.org/security/2021/dsa-5004 - Third Party Advisory
References	~~(N/A) https://www.oracle.com//security-alerts/cpujul2021.html -~~	(N/A) https://www.oracle.com//security-alerts/cpujul2021.html - Third Party Advisory
References	~~(FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/ -~~	(FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/ - Mailing List, Third Party Advisory
References	~~(FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/ -~~	(FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/ - Mailing List, Third Party Advisory
References	~~(FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/ -~~	(FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/ - Mailing List, Third Party Advisory
References	~~(MISC) https://www.oracle.com/security-alerts/cpuoct2021.html -~~	(MISC) https://www.oracle.com/security-alerts/cpuoct2021.html - Third Party Advisory
CPE	cpe:2.3:a:oracle:endeca_information_discovery_studio:3.2.0:::::::*	cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.4:::::::* cpe:2.3:o:fedoraproject:fedora:33:::::::* cpe:2.3:a:oracle:retail_xstore_point_of_service:16.0.6:::::::* cpe:2.3:o:debian:debian_linux:10.0:::::::* cpe:2.3:a:oracle:banking_platform:2.4.0:::::::* cpe:2.3:a:oracle:communications_policy_management:12.5.0:::::::* cpe:2.3:a:oracle:banking_virtual_account_management:14.2.0:::::::* cpe:2.3:a:oracle:webcenter_portal:12.2.1.3.0:::::::* cpe:2.3:a:oracle:retail_xstore_point_of_service:19.0.2:::::::* cpe:2.3:a:oracle:banking_platform:2.12.0:::::::* cpe:2.3:a:oracle:webcenter_portal:11.1.1.9.0:::::::* cpe:2.3:a:oracle:banking_platform:2.9.0:::::::* cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.1:::::::* cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.0:::::::* cpe:2.3:a:oracle:retail_xstore_point_of_service:17.0.4:::::::* cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.5:::::::* cpe:2.3:a:oracle:banking_virtual_account_management:14.3.0:::::::* cpe:2.3:o:debian:debian_linux:11.0:::::::* cpe:2.3:a:oracle:retail_xstore_point_of_service:18.0.3:::::::* cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.2:::::::* cpe:2.3:a:oracle:communications_billing_and_revenue_management_elastic_charging_engine:12.0.0.3.0:::::::* cpe:2.3:a:oracle:webcenter_portal:12.2.1.4.0:::::::* cpe:2.3:o:fedoraproject:fedora:35:::::::* cpe:2.3:a:oracle:banking_platform:2.7.1:::::::* cpe:2.3:a:oracle:banking_enterprise_default_management:2.10.0:::::::* cpe:2.3:a:oracle:banking_enterprise_default_management:2.12.0:::::::* cpe:2.3:o:fedoraproject:fedora:34:::::::* cpe:2.3:a:oracle:banking_virtual_account_management:14.5.0:::::::*

11 Nov 2021, 23:15

Type	Values Removed	Values Added
References		(FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/ - (DEBIAN) https://www.debian.org/security/2021/dsa-5004 -

10 Nov 2021, 01:16

Type	Values Removed	Values Added
References	{'url': 'https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/', 'name': 'FEDORA-2021-5e376c0ed9', 'tags': [], 'refsource': 'FEDORA'}

30 Oct 2021, 02:15

Type	Values Removed	Values Added
References		(FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/ -

20 Oct 2021, 11:15

Type	Values Removed	Values Added
References		(MISC) https://www.oracle.com/security-alerts/cpuoct2021.html -

13 Oct 2021, 02:15

Type	Values Removed	Values Added
References		(FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/ - (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/ - (N/A) https://www.oracle.com//security-alerts/cpujul2021.html -

16 Jun 2021, 14:02

Type	Values Removed	Values Added
References	~~(MISC) https://www.oracle.com/security-alerts/cpuApr2021.html -~~	(MISC) https://www.oracle.com/security-alerts/cpuApr2021.html - Patch, Third Party Advisory
CPE		cpe:2.3:a:oracle:business_activity_monitoring:11.1.1.9.0:::::::* cpe:2.3:a:oracle:endeca_information_discovery_studio:3.2.0:::::::* cpe:2.3:a:oracle:business_activity_monitoring:12.2.1.4.0:::::::* cpe:2.3:a:oracle:business_activity_monitoring:12.2.1.3.0:::::::*

14 Jun 2021, 18:15

Type	Values Removed	Values Added
References		(MISC) https://www.oracle.com/security-alerts/cpuApr2021.html -

30 Apr 2021, 20:58

Type	Values Removed	Values Added
References	~~(CONFIRM) https://security.netapp.com/advisory/ntap-20210430-0002/ -~~	(CONFIRM) https://security.netapp.com/advisory/ntap-20210430-0002/ - Third Party Advisory

30 Apr 2021, 08:15

Type	Values Removed	Values Added
References		(CONFIRM) https://security.netapp.com/advisory/ntap-20210430-0002/ -

27 Apr 2021, 14:09

Type	Values Removed	Values Added
References	~~(MLIST) https://lists.apache.org/thread.html/r9ac71b047767205aa22e3a08cb33f3e0586de6b2fac48b425c6e16b0@%3Cdev.jmeter.apache.org%3E -~~	(MLIST) https://lists.apache.org/thread.html/r9ac71b047767205aa22e3a08cb33f3e0586de6b2fac48b425c6e16b0@%3Cdev.jmeter.apache.org%3E - Mailing List, Third Party Advisory
References	~~(MLIST) https://lists.debian.org/debian-lts-announce/2021/04/msg00002.html -~~	(MLIST) https://lists.debian.org/debian-lts-announce/2021/04/msg00002.html - Mailing List, Third Party Advisory
References	~~(MLIST) https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd@%3Cusers.activemq.apache.org%3E -~~	(MLIST) https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd@%3Cusers.activemq.apache.org%3E - Mailing List, Third Party Advisory
CPE		cpe:2.3:o:debian:debian_linux:9.0:::::::*

27 Apr 2021, 10:15

Type	Values Removed	Values Added
References		(MLIST) https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd@%3Cusers.activemq.apache.org%3E -

06 Apr 2021, 19:15

Type	Values Removed	Values Added
References		(MLIST) https://lists.apache.org/thread.html/r9ac71b047767205aa22e3a08cb33f3e0586de6b2fac48b425c6e16b0@%3Cdev.jmeter.apache.org%3E -

03 Apr 2021, 23:15

Type	Values Removed	Values Added
References		(MLIST) https://lists.debian.org/debian-lts-announce/2021/04/msg00002.html -

25 Mar 2021, 19:39

Type	Values Removed	Values Added
References	~~(MISC) https://x-stream.github.io/security.html#workaround -~~	(MISC) https://x-stream.github.io/security.html#workaround - Mitigation, Third Party Advisory
References	~~(MISC) https://x-stream.github.io/CVE-2021-21345.html -~~	(MISC) https://x-stream.github.io/CVE-2021-21345.html - Exploit, Third Party Advisory
References	~~(CONFIRM) https://github.com/x-stream/xstream/security/advisories/GHSA-hwpc-8xqv-jvj4 -~~	(CONFIRM) https://github.com/x-stream/xstream/security/advisories/GHSA-hwpc-8xqv-jvj4 - Third Party Advisory
References	~~(MISC) http://x-stream.github.io/changes.html#1.4.16 -~~	(MISC) http://x-stream.github.io/changes.html#1.4.16 - Release Notes, Third Party Advisory
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : 6.5 v3 : 9.9
CPE		cpe:2.3:a:xstream_project:xstream::::::::

23 Mar 2021, 00:54

Type	Values Removed	Values Added
New CVE

Information

Published : 2021-03-23 00:15

Updated : 2023-12-10 13:41

NVD link : CVE-2021-21345

Mitre link : CVE-2021-21345

CVE.ORG link : CVE-2021-21345

JSON object : View

Products Affected

oracle

communications_billing_and_revenue_management_elastic_charging_engine
banking_platform
banking_virtual_account_management
retail_xstore_point_of_service
communications_policy_management
communications_unified_inventory_management
peoplesoft_enterprise_peopletools
webcenter_portal
business_activity_monitoring
banking_enterprise_default_management

xstream_project

xstream

fedoraproject

fedora

debian

debian_linux

CWE

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CWE-502

Deserialization of Untrusted Data

CWE-94

Improper Control of Generation of Code ('Code Injection')

9.9 /10