CVE-2021-39144
Published: 23 August 2021
Summary
CVE-2021-39144 is a high-severity Code Injection (CWE-94) vulnerability in Oracle Utilities Framework. Its CVSS base score is 8.5 (High).
Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-10 (Information Input Validation).
Deeper analysis
XStream is a Java library used to serialize objects to XML and deserialize them back. CVE-2021-39144 is a deserialization vulnerability (CWE-502) combined with code injection (CWE-94) and missing authentication (CWE-306) that affects versions prior to 1.4.18. An attacker who can supply a crafted input stream can trigger arbitrary command execution on the host system. The issue stems from reliance on a blacklist that proved insufficient to prevent instantiation of dangerous types during unmarshalling.
A remote attacker with limited privileges can exploit the flaw over the network by manipulating the processed XML input. Successful exploitation yields full command execution on the target host, resulting in complete compromise of confidentiality, integrity, and availability with scope change, as reflected in the CVSS 8.5 rating. No interaction or special user interface actions are required beyond the ability to influence the deserialized stream.
Advisories recommend migrating to XStream 1.4.18 or later, which disables the insecure blacklist default and requires an explicit whitelist of only the minimal required types. The GitHub security advisory and downstream notices from Debian and Fedora list the affected packages and provide updated builds that enforce this safer configuration. A public exploit targeting VMware NSX Manager demonstrates that unauthenticated remote code execution is achievable in at least one widely deployed product when the vulnerable library is present without additional hardening.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2021-1771
Vulnerability details
XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stream. No…
more
user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.
- CWE(s)
- KEV Date Added
- 10 March 2023
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces validation of untrusted XML input streams before deserialization, blocking the crafted objects that trigger arbitrary command execution.
Requires disabling unnecessary deserialization functionality and restricting allowable types to an explicit minimal whitelist, exactly the configuration change that eliminates the CVE.
Mandates timely application of the XStream 1.4.18+ update that removes the insecure blacklist default and enforces safer type handling.