Cyber Resilience

CVE-2021-39144

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoCRCE

Published: 23 August 2021

Published
23 August 2021
Modified
24 October 2025
KEV Added
10 March 2023
Patch
CVSS Score v3.1 8.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.9425 99.9th percentile
Risk Priority 94 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-39144 is a high-severity Code Injection (CWE-94) vulnerability in Oracle Utilities Framework. Its CVSS base score is 8.5 (High).

Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-10 (Information Input Validation).

Deeper analysis

XStream is a Java library used to serialize objects to XML and deserialize them back. CVE-2021-39144 is a deserialization vulnerability (CWE-502) combined with code injection (CWE-94) and missing authentication (CWE-306) that affects versions prior to 1.4.18. An attacker who can supply a crafted input stream can trigger arbitrary command execution on the host system. The issue stems from reliance on a blacklist that proved insufficient to prevent instantiation of dangerous types during unmarshalling.

A remote attacker with limited privileges can exploit the flaw over the network by manipulating the processed XML input. Successful exploitation yields full command execution on the target host, resulting in complete compromise of confidentiality, integrity, and availability with scope change, as reflected in the CVSS 8.5 rating. No interaction or special user interface actions are required beyond the ability to influence the deserialized stream.

Advisories recommend migrating to XStream 1.4.18 or later, which disables the insecure blacklist default and requires an explicit whitelist of only the minimal required types. The GitHub security advisory and downstream notices from Debian and Fedora list the affected packages and provide updated builds that enforce this safer configuration. A public exploit targeting VMware NSX Manager demonstrates that unauthenticated remote code execution is achievable in at least one widely deployed product when the vulnerable library is present without additional hardening.

EU & UK References

Vulnerability details

XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stream. No…

more

user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.

CWE(s)
KEV Date Added
10 March 2023

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

xstream
xstream
≤ 1.4.18
debian
debian linux
10.0, 11.0, 9.0
fedoraproject
fedora
33, 34, 35
netapp
snapmanager
all versions
oracle
business activity monitoring
12.2.1.4.0
oracle
commerce guided search
11.3.2
oracle
communications billing and revenue management elastic charging engine
11.3, 12.0
oracle
communications cloud native core automated test suite
1.9.0
oracle
communications cloud native core binding support function
1.10.0
oracle
communications cloud native core policy
1.14.0
+5 more product configuration(s) — see NVD for full list

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces validation of untrusted XML input streams before deserialization, blocking the crafted objects that trigger arbitrary command execution.

prevent

Requires disabling unnecessary deserialization functionality and restricting allowable types to an explicit minimal whitelist, exactly the configuration change that eliminates the CVE.

prevent

Mandates timely application of the XStream 1.4.18+ update that removes the insecure blacklist default and enforces safer type handling.

References