CVE-2021-39144
XStream is vulnerable to a Remote Command Execution attack
In short
XStream, a library that converts objects to XML, can be exploited by attackers to run arbitrary commands on a server if the input data is manipulated. This happens because the library deserializes untrusted data without proper restrictions.
Technical detail
Remote code execution vulnerability in XStream's deserialization process (CWE-502, CWE-94) allowing unauthenticated attackers to execute arbitrary system commands by crafting malicious XML input. Exploitation requires processing untrusted serialized data; mitigation requires implementing XStream's security whitelist framework or upgrading to version 1.4.18+, which defaults to a secure configuration instead of a blacklist approach.
Summary generated and translated by AI from the official description.
XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
Affected products
x-stream · xstreampublic PoCs found — 1
cve_referencepacketstormsecurity.com/files/169859/VMware-NSX-Manager-XStream-Unauthenticated-Remote-Code-Execution.htmlunverified⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
http://packetstormsecurity.com/files/169859/VMware-NSX-Manager-XStream-Unauthenticated-Remote-Code-Execution.htmlhttps://github.com/x-stream/xstream/security/advisories/GHSA-j9h8-phrw-h4fhhttps://lists.debian.org/debian-lts-announce/2021/09/msg00017.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/https://security.netapp.com/advisory/ntap-20210923-0003/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-39144https://www.debian.org/security/2021/dsa-5004https://www.oracle.com/security-alerts/cpuapr2022.htmlhttps://www.oracle.com/security-alerts/cpujan2022.htmlhttps://www.oracle.com/security-alerts/cpujul2022.html