Published: 23/03/2021 Updated: 21/11/2024

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote malicious user to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.

Vulnerable Product	Search on Vulmon	Subscribe to Product
xstream project xstream
debian debian linux 9.0
debian debian linux 10.0
debian debian linux 11.0
fedoraproject fedora 33
fedoraproject fedora 34
fedoraproject fedora 35
oracle banking enterprise default management 2.10.0
oracle banking enterprise default management 2.12.0
oracle banking platform 2.4.0
oracle banking platform 2.7.1
oracle banking platform 2.9.0
oracle banking platform 2.12.0
oracle banking virtual account management 14.2.0
oracle banking virtual account management 14.3.0
oracle banking virtual account management 14.5.0
oracle business activity monitoring 11.1.1.9.0
oracle business activity monitoring 12.2.1.3.0
oracle business activity monitoring 12.2.1.4.0
oracle communications billing and revenue management elastic charging engine 12.0.0.3.0
oracle communications policy management 12.5.0
oracle communications unified inventory management 7.3.2
oracle communications unified inventory management 7.3.4
oracle communications unified inventory management 7.3.5
oracle communications unified inventory management 7.4.0
oracle communications unified inventory management 7.4.1
oracle retail xstore point of service 16.0.6
oracle retail xstore point of service 17.0.4
oracle retail xstore point of service 18.0.3
oracle retail xstore point of service 19.0.2
oracle webcenter portal 11.1.1.9.0
oracle webcenter portal 12.2.1.3.0
oracle webcenter portal 12.2.1.4.0
oracle weblogic server 12.1.3.0.0
oracle weblogic server 12.2.1.3.0
oracle weblogic server 12.2.1.4.0
oracle weblogic server 14.1.1.0.0

Debian Bug report logs - #985843 libxstream-java: CVE-2021-21341 CVE-2021-21342 CVE-2021-21343 CVE-2021-21344 CVE-2021-21345 CVE-2021-21346 CVE-2021-21347 CVE-2021-21348 CVE-2021-21349 CVE-2021-21350 CVE-2021-21351 Package: src:libxstream-java; Maintainer for src:libxstream-java is Debian Java Maintainers <pkg-java-maintainers@listsal ...

Multiple security vulnerabilities have been discovered in XStream, a Java library to serialize objects to XML and back again These vulnerabilities may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream XStream itself sets up a whitelist by default now, ie it blocks all c ...

A flaw was found in xstream A remote attacker may be able to load and execute arbitrary code from a remote host only by manipulating the processed input stream The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability (CVE-2021-21344) A flaw was found in xstream A remote attacker, who has ...

CWE-434 CWE-502 CWE-434 CWE-502 https://nvd.nist.gov https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985843 https://www.first.org/epss http://x-stream.github.io/changes.html#1.4.16 https://github.com/x-stream/xstream/security/advisories/GHSA-qpfq-ph7r-qv6f https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd%40%3Cusers.activemq.apache.org%3E https://lists.apache.org/thread.html/r9ac71b047767205aa22e3a08cb33f3e0586de6b2fac48b425c6e16b0%40%3Cdev.jmeter.apache.org%3E https://lists.debian.org/debian-lts-announce/2021/04/msg00002.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/https://security.netapp.com/advisory/ntap-20210430-0002/https://www.debian.org/security/2021/dsa-5004 https://www.oracle.com//security-alerts/cpujul2021.html https://www.oracle.com/security-alerts/cpujan2022.html https://www.oracle.com/security-alerts/cpuoct2021.html https://x-stream.github.io/CVE-2021-21347.html https://x-stream.github.io/security.html#workaround http://x-stream.github.io/changes.html#1.4.16 https://github.com/x-stream/xstream/security/advisories/GHSA-qpfq-ph7r-qv6f https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd%40%3Cusers.activemq.apache.org%3E https://lists.apache.org/thread.html/r9ac71b047767205aa22e3a08cb33f3e0586de6b2fac48b425c6e16b0%40%3Cdev.jmeter.apache.org%3E https://lists.debian.org/debian-lts-announce/2021/04/msg00002.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/https://security.netapp.com/advisory/ntap-20210430-0002/https://www.debian.org/security/2021/dsa-5004 https://www.oracle.com//security-alerts/cpujul2021.html https://www.oracle.com/security-alerts/cpujan2022.html https://www.oracle.com/security-alerts/cpuoct2021.html https://x-stream.github.io/CVE-2021-21347.html https://x-stream.github.io/security.html#workaround

CVE-2021-21347

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

References

Vulmon Search

About

Products

Connect