⚠ Actively exploited

Added to CISA KEV on 2023-03-10. Federal agencies required to patch by 2023-03-31. Required action: Apply updates per vendor instructions..

CVE-2021-39144

CWE-94 — Code Injection CWE-502 — Deserialization of Untrusted Data CWE-306 — Missing Authentication15 documents13 sources

Severity

8.5HIGH

EPSS

94.3%

top 0.07%

CISA KEV

KEV

Added 2023-03-10

Due 2023-03-31

Exploit

Exploited in wild

Active exploitation observed

Affected products

X-stream Xstream Xstream Xstream Debian Debian Linux +12 more

Timeline

PublishedAug 23

KEV addedMar 10

Latest updateMar 13

KEV dueMar 31

CISA Required Action: Apply updates per vendor instructions.

Description

XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:HExploitability: 1.8 | Impact: 6.0

Affected Packages15 packages

▶NVDxstream/xstream< 1.4.18

▶CVEListV5x-stream/xstream< 1.4.18

▶Mavencom.thoughtworks.xstream:xstream< 1.4.18

▶Debianlibxstream-java< 1.4.15-3+deb11u1+3

▶NVDoracle/utilities_framework7 versions+6

Also affects: Debian Linux 10.0, 11.0, 9.0, Fedora 33, 34, 35

Patches

Patch: www.oracle.com ↗Patch: www.oracle.com ↗Patch: www.oracle.com ↗

🔴Vulnerability Details

OSV

libxstream-java vulnerabilities↗2023-03-13

▶

OSV

XStream is vulnerable to a Remote Command Execution attack↗2021-08-25

▶

GHSA

XStream is vulnerable to a Remote Command Execution attack↗2021-08-25

▶

CVEList

XStream is vulnerable to a Remote Command Execution attack↗2021-08-23

▶

OSV

CVE-2021-39144: XStream is a simple library to serialize objects to XML and back again↗2021-08-23

▶

💥Exploits & PoCs

Nuclei

XStream 1.4.18 - Remote Code Execution

▶

🔍Detection Rules

Suricata

ET EXPLOIT Possible VMWare NSX Manager Remote Code Execution Exploit Attempt (CVE-2021-39144)↗2022-10-28

▶

📋Vendor Advisories

Ubuntu

XStream vulnerabilities↗2023-03-13

▶

CISA

XStream Remote Code Execution Vulnerability↗2023-03-10

▶

VMware

VMware Cloud Foundation updates address multiple vulnerabilities.↗2022-10-25

▶

Red Hat

xstream: Arbitrary code execution via unsafe deserialization of sun.tracing.*↗2021-08-22

▶

Debian

CVE-2021-39144: libxstream-java - XStream is a simple library to serialize objects to XML and back again. In affec...↗2021

▶