CVE-2021-39144 vulnerability in Xstreamproject and Other Products
Published on August 23, 2021
Known Exploited Vulnerability
This XStream Remote Code Execution Vulnerability is part of CISA's list of Known Exploited Vulnerabilities. XStream contains a remote code execution vulnerability that allows an attacker to manipulate the processed input stream and replace or inject objects, that result in execution of a local command on the server. This vulnerability can affect multiple products including but not limited to VMware Cloud Foundation.
The following remediation steps are recommended / required by March 31, 2023: Apply updates per vendor instructions.
Vulnerability Analysis
CVE-2021-39144 is exploitable with network access, and requires small amount of user privileges. This vulnerability is consided to have a high level of attack complexity. It has an exploitability score of 1.8 out of four. The potential impact of an exploit of this vulnerability is considered to be very high.
What is a Code Injection Vulnerability?
The software constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
CVE-2021-39144 has been classified to as a Code Injection vulnerability or weakness.
What is a Marshaling, Unmarshaling Vulnerability?
The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid.
CVE-2021-39144 has been classified to as a Marshaling, Unmarshaling vulnerability or weakness.
Products Associated with CVE-2021-39144
You can be notified by stack.watch whenever vulnerabilities like CVE-2021-39144 are published in these products:
What versions are vulnerable to CVE-2021-39144?
-
Xstreamproject Xstream
Fixed in Version 1.4.18
-
Debian Linux
Version 9.0
-
Debian Linux
Version 10.0
-
Debian Linux
Version 11.0
-
Fedora Project Fedora
Version 33
-
Fedora Project Fedora
Version 34
-
Fedora Project Fedora
Version 35
-
NetApp Snapmanager
Version -
oracle
-
NetApp Snapmanager
Version -
sap
-
Oracle Webcenter Portal
Version 12.2.1.3.0
-
Oracle Utilities Framework
Version 4.2.0.3.0
-
Oracle Utilities Framework
Version 4.2.0.2.0
-
Oracle Utilities Framework
Version 4.3.0.6.0
-
Oracle Utilities Framework
Version 4.4.0.0.0
-
Oracle Communications Unified Inventory Management
Version 7.3.4
-
Oracle Communications Unified Inventory Management
Version 7.3.5
-
Oracle Communications Unified Inventory Management
Version 7.4.0
-
Oracle Webcenter Portal
Version 12.2.1.4.0
-
Oracle Utilities Framework
Version 4.4.0.2.0
-
Oracle Communications Billing Revenue Management Elastic Charging Engine
Version 11.3
-
Oracle Communications Billing Revenue Management Elastic Charging Engine
Version 12.0
-
Oracle Business Activity Monitoring
Version 12.2.1.4.0
-
Oracle Commerce Guided Search
Version 11.3.2
-
Oracle Communications Unified Inventory Management
Version 7.4.1
-
Oracle Retail Xstore Point Of Service
Version 16.0.6
-
Oracle Retail Xstore Point Of Service
Version 17.0.4
-
Oracle Retail Xstore Point Of Service
Version 18.0.3
-
Oracle Retail Xstore Point Of Service
Version 19.0.2
-
Oracle Retail Xstore Point Of Service
Version 20.0.1
-
Oracle Utilities Framework
Version 4.4.0.3.0
-
Oracle Utilities Testing Accelerator
Version 6.0.0.1.1
-
Oracle Communications Cloud Native Core Binding Support Function
Version 1.10.0
-
Oracle Utilities Framework
Version 4.3.0.1.0
-
Oracle Communications Cloud Native Core Policy
Version 1.14.0
-
Oracle Communications Unified Inventory Management
Version 7.4.2
-
Oracle Communications Cloud Native Core Automated Test Suite
Version 1.9.0
Vulnerable Packages
The following package name and versions may be associated with CVE-2021-39144
| Package Manager | Vulnerable Package | Versions | Fixed In |
|---|---|---|---|
| maven | com.thoughtworks.xstream:xstream | < 1.4.18 | 1.4.18 |