CVE-2021-21342

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability where the processed stream at unmarshalling time contains type information to recreate the formerly written objects. XStream creates therefore new instances based on these type information. An attacker can manipulate the processed input stream and replace or inject objects, that result in a server-side forgery request. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.

CVSS v3 9.1 CRITICAL
CVSS v2.0 5.8 MEDIUM

9.1^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

5.8^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:M/Au:N/C:P/I:P/A:N

Exploitability : 8.6 / Impact : 4.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
http://x-stream.github.io/changes.html#1.4.16	Release Notes Third Party Advisory
https://github.com/x-stream/xstream/security/advisories/GHSA-hvv8-336g-rx3m	Third Party Advisory
https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd%40%3Cusers.activemq.apache.org%3E
https://lists.apache.org/thread.html/r9ac71b047767205aa22e3a08cb33f3e0586de6b2fac48b425c6e16b0%40%3Cdev.jmeter.apache.org%3E
https://lists.debian.org/debian-lts-announce/2021/04/msg00002.html	Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/
https://security.netapp.com/advisory/ntap-20210430-0002/	Third Party Advisory
https://www.debian.org/security/2021/dsa-5004	Third Party Advisory
https://www.oracle.com//security-alerts/cpujul2021.html	Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.html	Not Applicable
https://www.oracle.com/security-alerts/cpuoct2021.html	Third Party Advisory
https://x-stream.github.io/CVE-2021-21342.html	Exploit Third Party Advisory
https://x-stream.github.io/security.html#workaround	Mitigation Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:xstream_project:xstream:*:*:*:*:*:*:*:*

Configuration 2 (hide)

OR	cpe:2.3:o:debian:debian_linux:9.0:::::::*
	cpe:2.3:o:debian:debian_linux:10.0:::::::*
	cpe:2.3:o:debian:debian_linux:11.0:::::::*

Configuration 3 (hide)

OR	cpe:2.3:o:fedoraproject:fedora:33:::::::*
	cpe:2.3:o:fedoraproject:fedora:34:::::::*
	cpe:2.3:o:fedoraproject:fedora:35:::::::*

Configuration 4 (hide)

OR	cpe:2.3:a:oracle:banking_enterprise_default_management:2.10.0:::::::*
	cpe:2.3:a:oracle:banking_enterprise_default_management:2.12.0:::::::*
	cpe:2.3:a:oracle:banking_platform:2.4.0:::::::*
	cpe:2.3:a:oracle:banking_platform:2.7.1:::::::*
	cpe:2.3:a:oracle:banking_platform:2.9.0:::::::*
	cpe:2.3:a:oracle:banking_platform:2.12.0:::::::*
	cpe:2.3:a:oracle:banking_virtual_account_management:14.2.0:::::::*
	cpe:2.3:a:oracle:banking_virtual_account_management:14.3.0:::::::*
	cpe:2.3:a:oracle:banking_virtual_account_management:14.5.0:::::::*
	cpe:2.3:a:oracle:business_activity_monitoring:11.1.1.9.0:::::::*
	cpe:2.3:a:oracle:business_activity_monitoring:12.2.1.3.0:::::::*
	cpe:2.3:a:oracle:business_activity_monitoring:12.2.1.4.0:::::::*
	cpe:2.3:a:oracle:communications_brm_-_elastic_charging_engine:12.0.0.3:::::::*
	cpe:2.3:a:oracle:communications_policy_management:12.5.0:::::::*
	cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.2:::::::*
	cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.4:::::::*
	cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.5:::::::*
	cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.0:::::::*
	cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.1:::::::*
	cpe:2.3:a:oracle:retail_xstore_point_of_service:16.0.6:::::::*
	cpe:2.3:a:oracle:retail_xstore_point_of_service:17.0.4:::::::*
	cpe:2.3:a:oracle:retail_xstore_point_of_service:18.0.3:::::::*
	cpe:2.3:a:oracle:retail_xstore_point_of_service:19.0.2:::::::*
	cpe:2.3:a:oracle:webcenter_portal:11.1.1.9.0:::::::*
	cpe:2.3:a:oracle:webcenter_portal:12.2.1.3.0:::::::*
	cpe:2.3:a:oracle:webcenter_portal:12.2.1.4.0:::::::*

History

09 Mar 2023, 15:18

Type	Values Removed	Values Added
CPE	cpe:2.3:a:oracle:mysql_server::::::::	cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.2:::::::* cpe:2.3:a:oracle:banking_platform:2.4.0:::::::* cpe:2.3:a:oracle:communications_brm_-_elastic_charging_engine:12.0.0.3:::::::* cpe:2.3:a:oracle:retail_xstore_point_of_service:18.0.3:::::::* cpe:2.3:a:oracle:webcenter_portal:11.1.1.9.0:::::::* cpe:2.3:a:oracle:banking_enterprise_default_management:2.10.0:::::::* cpe:2.3:a:oracle:banking_enterprise_default_management:2.12.0:::::::* cpe:2.3:a:oracle:business_activity_monitoring:12.2.1.4.0:::::::* cpe:2.3:a:oracle:webcenter_portal:12.2.1.3.0:::::::* cpe:2.3:a:oracle:webcenter_portal:12.2.1.4.0:::::::* cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.1:::::::* cpe:2.3:a:oracle:business_activity_monitoring:11.1.1.9.0:::::::* cpe:2.3:a:oracle:banking_platform:2.7.1:::::::* cpe:2.3:a:oracle:retail_xstore_point_of_service:19.0.2:::::::* cpe:2.3:a:oracle:banking_platform:2.9.0:::::::* cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.4:::::::* cpe:2.3:a:oracle:business_activity_monitoring:12.2.1.3.0:::::::* cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.0:::::::* cpe:2.3:a:oracle:banking_platform:2.12.0:::::::* cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.5:::::::* cpe:2.3:a:oracle:retail_xstore_point_of_service:17.0.4:::::::* cpe:2.3:a:oracle:retail_xstore_point_of_service:16.0.6:::::::*
References	~~(MISC) https://www.oracle.com/security-alerts/cpujan2022.html - Patch, Vendor Advisory~~	(MISC) https://www.oracle.com/security-alerts/cpujan2022.html - Not Applicable

16 Feb 2022, 14:50

Type	Values Removed	Values Added
CVSS	v2 : ~~6.4~~ v3 : ~~9.1~~	v2 : 5.8 v3 : 9.1
References	~~(MISC) https://www.oracle.com/security-alerts/cpujan2022.html -~~	(MISC) https://www.oracle.com/security-alerts/cpujan2022.html - Patch, Vendor Advisory
CPE		cpe:2.3:a:oracle:mysql_server::::::::

07 Feb 2022, 16:15

Type	Values Removed	Values Added
References		(MISC) https://www.oracle.com/security-alerts/cpujan2022.html -

30 Nov 2021, 22:09

Type	Values Removed	Values Added
CPE		cpe:2.3:o:debian:debian_linux:11.0:::::::* cpe:2.3:a:oracle:communications_policy_management:12.5.0:::::::* cpe:2.3:a:oracle:banking_virtual_account_management:14.3.0:::::::* cpe:2.3:a:oracle:banking_virtual_account_management:14.5.0:::::::* cpe:2.3:o:fedoraproject:fedora:35:::::::* cpe:2.3:o:fedoraproject:fedora:33:::::::* cpe:2.3:a:oracle:banking_virtual_account_management:14.2.0:::::::* cpe:2.3:o:debian:debian_linux:10.0:::::::* cpe:2.3:o:fedoraproject:fedora:34:::::::*
References	~~(FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/ -~~	(FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/ - Mailing List, Third Party Advisory
References	~~(MISC) https://www.oracle.com/security-alerts/cpuoct2021.html -~~	(MISC) https://www.oracle.com/security-alerts/cpuoct2021.html - Third Party Advisory
References	~~(FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/ -~~	(FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/ - Mailing List, Third Party Advisory
References	~~(DEBIAN) https://www.debian.org/security/2021/dsa-5004 -~~	(DEBIAN) https://www.debian.org/security/2021/dsa-5004 - Third Party Advisory
References	~~(N/A) https://www.oracle.com//security-alerts/cpujul2021.html -~~	(N/A) https://www.oracle.com//security-alerts/cpujul2021.html - Third Party Advisory
References	~~(FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/ -~~	(FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/ - Mailing List, Third Party Advisory

11 Nov 2021, 23:15

Type	Values Removed	Values Added
References		(DEBIAN) https://www.debian.org/security/2021/dsa-5004 -

30 Oct 2021, 02:15

Type	Values Removed	Values Added
References		(FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/ -

20 Oct 2021, 11:15

Type	Values Removed	Values Added
References		(MISC) https://www.oracle.com/security-alerts/cpuoct2021.html -

13 Oct 2021, 02:15

Type	Values Removed	Values Added
References		(FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/ - (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/ - (N/A) https://www.oracle.com//security-alerts/cpujul2021.html -

Information

Published : 2021-03-23 00:15

Updated : 2024-02-04 21:23

NVD link : CVE-2021-21342

Mitre link : CVE-2021-21342

CVE.ORG link : CVE-2021-21342

JSON object : View

Products Affected

oracle

retail_xstore_point_of_service
banking_platform
communications_policy_management
communications_unified_inventory_management
webcenter_portal
banking_virtual_account_management
communications_brm_-_elastic_charging_engine
business_activity_monitoring
banking_enterprise_default_management

debian

debian_linux

xstream_project

xstream

fedoraproject

fedora

CWE

CWE-502

Deserialization of Untrusted Data

CWE-918

Server-Side Request Forgery (SSRF)

9.1 /10

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

5.8 /10

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact NONE

JSON object

Attach tags to CVE-2021-21342

9.1^/10

5.8^/10

Attach tags to `CVE-2021-21342`