XStream is software for serializing Java objects to XML and back again. A vulnerability in XStream versions prior to 1.4.17 may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types is affected. The vulnerability is patched in version 1.4.17.

The 12.4.0.0 versions of Enterprise Manager Ops Center installed on the remote host are affected by multiple vulnerabilities as referenced in the October 2021 CPU advisory.

  - Vulnerability in the Enterprise Manager Ops Center product of Oracle Enterprise Manager (component: Guest     Management (XStream)). The supported version that is affected is 12.4.0.0. Easily exploitable     vulnerability allows low privileged attacker with network access via HTTP to compromise Enterprise Manager     Ops Center. Successful attacks of this vulnerability can result in takeover of Enterprise Manager Ops     Center. (CVE-2021-29505)

  - Vulnerability in the Enterprise Manager Ops Center product of Oracle Enterprise Manager Ops Center     (component: Common Core (XStream)). The supported version that is affected is 12.4.0.0. Easily exploitable     vulnerability allows low privileged attacker with network access via HTTP to compromise Enterprise Manager     Ops Center. Successful attacks of this vulnerability can result in takeover of Enterprise Manager Ops     Center. (CVE-2021-21345) 

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Atlassian Jira installed on the remote host is prior to 8.17.x < 8.18.0. It is, therefore, affected by a vulnerability as referenced in the JRASERVER-72669 advisory.

  - Vulnerable version of XStream used in Jira Server and Data Center - CVE-2021-29505 (CVE-2021-29505)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote NewStart CGSL host, running version CORE 5.05 / MAIN 5.05, has xstream packages installed that are affected by a vulnerability:

  - XStream is software for serializing Java objects to XML and back again. A vulnerability in XStream     versions prior to 1.4.17 may allow a remote attacker has sufficient rights to execute commands of the host     only by manipulating the processed input stream. No user who followed the recommendation to setup     XStream's security framework with a whitelist limited to the minimal required types is affected. The     vulnerability is patched in version 1.4.17. (CVE-2021-29505)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has xstream packages installed that are affected by a vulnerability:

  - XStream is software for serializing Java objects to XML and back again. A vulnerability in XStream     versions prior to 1.4.17 may allow a remote attacker has sufficient rights to execute commands of the host     only by manipulating the processed input stream. No user who followed the recommendation to setup     XStream's security framework with a whitelist limited to the minimal required types is affected. The     vulnerability is patched in version 1.4.17. (CVE-2021-29505)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Debian 10 / 11 host has a package installed that is affected by multiple vulnerabilities as referenced in the dsa-5004 advisory.

  - XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16,     there is vulnerability which may allow a remote attacker to allocate 100% CPU time on the target system     depending on CPU type or parallel execution of such a payload resulting in a denial of service only by     manipulating the processed input stream. No user is affected who followed the recommendation to setup     XStream's security framework with a whitelist limited to the minimal required types. If you rely on     XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.
    (CVE-2021-21341)

  - XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16,     there is a vulnerability where the processed stream at unmarshalling time contains type information to     recreate the formerly written objects. XStream creates therefore new instances based on these type     information. An attacker can manipulate the processed input stream and replace or inject objects, that     result in a server-side forgery request. No user is affected, who followed the recommendation to setup     XStream's security framework with a whitelist limited to the minimal required types. If you rely on     XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.
    (CVE-2021-21342)

  - XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16,     there is a vulnerability where the processed stream at unmarshalling time contains type information to     recreate the formerly written objects. XStream creates therefore new instances based on these type     information. An attacker can manipulate the processed input stream and replace or inject objects, that     result in the deletion of a file on the local host. No user is affected, who followed the recommendation     to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely     on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.
    (CVE-2021-21343)

  - XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16,     there is a vulnerability which may allow a remote attacker to load and execute arbitrary code from a     remote host only by manipulating the processed input stream. No user is affected, who followed the     recommendation to setup XStream's security framework with a whitelist limited to the minimal required     types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least     version 1.4.16. (CVE-2021-21344, CVE-2021-21346, CVE-2021-21347)

  - XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16,     there is a vulnerability which may allow a remote attacker who has sufficient rights to execute commands     of the host only by manipulating the processed input stream. No user is affected, who followed the     recommendation to setup XStream's security framework with a whitelist limited to the minimal required     types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least     version 1.4.16. (CVE-2021-21345)

  - XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16,     there is a vulnerability which may allow a remote attacker to occupy a thread that consumes maximum CPU     time and will never return. No user is affected, who followed the recommendation to setup XStream's     security framework with a whitelist limited to the minimal required types. If you rely on XStream's     default blacklist of the Security Framework, you will have to use at least version 1.4.16.
    (CVE-2021-21348)

  - XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16,     there is a vulnerability which may allow a remote attacker to request data from internal resources that     are not publicly available only by manipulating the processed input stream. No user is affected, who     followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal     required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use     at least version 1.4.16. (CVE-2021-21349)

  - XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16,     there is a vulnerability which may allow a remote attacker to execute arbitrary code only by manipulating     the processed input stream. No user is affected, who followed the recommendation to setup XStream's     security framework with a whitelist limited to the minimal required types. If you rely on XStream's     default blacklist of the Security Framework, you will have to use at least version 1.4.16.
    (CVE-2021-21350)

  - XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16,     there is a vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host     only by manipulating the processed input stream. No user is affected, who followed the recommendation to     setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on     XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.
    (CVE-2021-21351)

  - XStream is software for serializing Java objects to XML and back again. A vulnerability in XStream     versions prior to 1.4.17 may allow a remote attacker has sufficient rights to execute commands of the host     only by manipulating the processed input stream. No user who followed the recommendation to setup     XStream's security framework with a whitelist limited to the minimal required types is affected. The     vulnerability is patched in version 1.4.17. (CVE-2021-29505)

  - XStream is a simple library to serialize objects to XML and back again. In affected versions this     vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by     manipulating the processed input stream. A user is only affected if using the version out of the box with     JDK 1.7u21 or below. However, this scenario can be adjusted easily to an external Xalan that works     regardless of the version of the Java runtime. No user is affected, who followed the recommendation to     setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18     uses no longer a blacklist by default, since it cannot be secured for general purpose. (CVE-2021-39139)

  - XStream is a simple library to serialize objects to XML and back again. In affected versions this     vulnerability may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU     type or parallel execution of such a payload resulting in a denial of service only by manipulating the     processed input stream. No user is affected, who followed the recommendation to setup XStream's security     framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a     blacklist by default, since it cannot be secured for general purpose. (CVE-2021-39140)

  - XStream is a simple library to serialize objects to XML and back again. In affected versions this     vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by     manipulating the processed input stream. No user is affected, who followed the recommendation to setup     XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses     no longer a blacklist by default, since it cannot be secured for general purpose. (CVE-2021-39141,     CVE-2021-39145, CVE-2021-39146, CVE-2021-39147, CVE-2021-39148, CVE-2021-39149, CVE-2021-39151,     CVE-2021-39154)

  - XStream is a simple library to serialize objects to XML and back again. In affected versions this     vulnerability may allow a remote attacker has sufficient rights to execute commands of the host only by     manipulating the processed input stream. No user is affected, who followed the recommendation to setup     XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses     no longer a blacklist by default, since it cannot be secured for general purpose. (CVE-2021-39144)

  - XStream is a simple library to serialize objects to XML and back again. In affected versions this     vulnerability may allow a remote attacker to request data from internal resources that are not publicly     available only by manipulating the processed input stream with a Java runtime version 14 to 8. No user is     affected, who followed the recommendation to setup XStream's security framework with a whitelist limited     to the minimal required types. If you rely on XStream's default blacklist of the [Security     Framework](https://x-stream.github.io/security.html#framework), you will have to use at least version     1.4.18. (CVE-2021-39150, CVE-2021-39152)

  - XStream is a simple library to serialize objects to XML and back again. In affected versions this     vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by     manipulating the processed input stream, if using the version out of the box with Java runtime version 14     to 8 or with JavaFX installed. No user is affected, who followed the recommendation to setup XStream's     security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a     blacklist by default, since it cannot be secured for general purpose. (CVE-2021-39153)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Oracle WebCenter Sites component of Oracle Fusion Middleware is affected by multiple vulnerabilities.

  - Component: WebCenter Sites (Terracotta Quartz Scheduler)). The supported   versions that are affected are 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable   vulnerability allows unauthenticated attacker with network access via HTTP to   compromise Oracle WebCenter Sites. Successful attacks of this vulnerability   can result in takeover of Oracle WebCenter Sites. (CVE-2019-13990)

  - Component: WebCenter Sites (XStream)). The supported versions that are   affected are 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability   allows low privileged attacker with network access via HTTP to compromise   Oracle WebCenter Sites. Successful attacks of this vulnerability can result   in takeover of Oracle WebCenter Sites. (CVE-2021-29505)

  - Component: WebCenter Sites (dojo)). The supported versions that are   affected are 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability   allows unauthenticated attacker with network access via HTTP to compromise   Oracle WebCenter Sites. Successful attacks of this vulnerability can result   in unauthorized creation, deletion or modification access to critical data or   all Oracle WebCenter Sites accessible data. (CVE-2020-5258)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version

The version of Oracle WebCenter Portal installed on the remote host is missing a security patch from the October 2021 Critical Patch Update (CPU). It is, therefore, affected by a vulnerability in the Discussion Forums (XStream) component that is easily exploitable by a remote, low privileged attacker to compromise Oracle WebCenter Portal's confidentiality, integrity and availability.

Note that Nessus has not attempted to exploit these issues but has instead relied only on the application's self-reported version number.

The version of xstream installed on the remote host is prior to 1.3.1-14. It is, therefore, affected by a vulnerability as referenced in the ALAS2-2021-1698 advisory.

  - XStream is software for serializing Java objects to XML and back again. A vulnerability in XStream     versions prior to 1.4.17 may allow a remote attacker has sufficient rights to execute commands of the host     only by manipulating the processed input stream. No user who followed the recommendation to setup     XStream's security framework with a whitelist limited to the minimal required types is affected. The     vulnerability is patched in version 1.4.17. (CVE-2021-29505)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SUSE15 host has packages installed that are affected by a vulnerability as referenced in the openSUSE-SU-2021:1995-1 advisory.

  - XStream is software for serializing Java objects to XML and back again. A vulnerability in XStream     versions prior to 1.4.17 may allow a remote attacker has sufficient rights to execute commands of the host     only by manipulating the processed input stream. No user who followed the recommendation to setup     XStream's security framework with a whitelist limited to the minimal required types is affected. The     vulnerability is patched in version 1.4.17. (CVE-2021-29505)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote CentOS Linux 7 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2021:2683 advisory.

  - XStream is software for serializing Java objects to XML and back again. A vulnerability in XStream     versions prior to 1.4.17 may allow a remote attacker has sufficient rights to execute commands of the host     only by manipulating the processed input stream. No user who followed the recommendation to setup     XStream's security framework with a whitelist limited to the minimal required types is affected. The     vulnerability is patched in version 1.4.17. (CVE-2021-29505)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 7 host has packages installed that are affected by a vulnerability as referenced in the ELSA-2021-2683 advisory.

    [1.3.1-14]
    - Fix remote code execution vulnerability
    - Resolves: CVE-2021-29505

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Scientific Linux 7 host has packages installed that are affected by a vulnerability as referenced in the SLSA-2021:2683-1 advisory.

  - XStream: remote command execution attack by manipulating the processed input stream (CVE-2021-29505)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 7 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2021:2683 advisory.

    XStream is a Java XML serialization library to serialize objects to and deserialize object from XML.

    Security Fix(es):

    * XStream: remote command execution attack by manipulating the processed input stream (CVE-2021-29505)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Debian 9 host has a package installed that is affected by a vulnerability as referenced in the dla-2704 advisory.

  - XStream is software for serializing Java objects to XML and back again. A vulnerability in XStream     versions prior to 1.4.17 may allow a remote attacker has sufficient rights to execute commands of the host     only by manipulating the processed input stream. No user who followed the recommendation to setup     XStream's security framework with a whitelist limited to the minimal required types is affected. The     vulnerability is patched in version 1.4.17. (CVE-2021-29505)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SUSE15 host has packages installed that are affected by a vulnerability as referenced in the openSUSE-SU-2021:0911-1 advisory.

  - XStream is software for serializing Java objects to XML and back again. A vulnerability in XStream     versions prior to 1.4.17 may allow a remote attacker has sufficient rights to execute commands of the host     only by manipulating the processed input stream. No user who followed the recommendation to setup     XStream's security framework with a whitelist limited to the minimal required types is affected. The     vulnerability is patched in version 1.4.17. (CVE-2021-29505)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLED15 / SLES15 host has a package installed that is affected by a vulnerability as referenced in the SUSE-SU-2021:1995-1 advisory.

  - XStream is software for serializing Java objects to XML and back again. A vulnerability in XStream     versions prior to 1.4.17 may allow a remote attacker has sufficient rights to execute commands of the host     only by manipulating the processed input stream. No user who followed the recommendation to setup     XStream's security framework with a whitelist limited to the minimal required types is affected. The     vulnerability is patched in version 1.4.17. (CVE-2021-29505)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
170201	Oracle Enterprise Manager Ops Center UI and Other Patches (Oct 2021 CPU)	Nessus	Misc.	critical
162748	Atlassian Jira 8.17.x < 8.18.0 (JRASERVER-72669)	Nessus	CGI abuses	high
160824	NewStart CGSL CORE 5.05 / MAIN 5.05 : xstream Vulnerability (NS-SA-2022-0045)	Nessus	NewStart CGSL Local Security Checks	high
160764	NewStart CGSL CORE 5.04 / MAIN 5.04 : xstream Vulnerability (NS-SA-2022-0007)	Nessus	NewStart CGSL Local Security Checks	high
155294	Debian DSA-5004-1 : libxstream-java - security update	Nessus	Debian Local Security Checks	critical
154418	Oracle WebCenter Sites Multiple Vulnerabilities (Oct 2021 CPU)	Nessus	Windows	critical
154326	Oracle WebCenter Portal RCE (Oct 2021 CPU)	Nessus	Misc.	high
152234	Amazon Linux 2 : xstream (ALAS-2021-1698)	Nessus	Amazon Linux Local Security Checks	high
151711	openSUSE 15 Security Update : xstream (openSUSE-SU-2021:1995-1)	Nessus	SuSE Local Security Checks	high
151614	CentOS 7 : xstream (RHSA-2021:2683)	Nessus	CentOS Local Security Checks	high
151505	Oracle Linux 7 : xstream (ELSA-2021-2683)	Nessus	Oracle Linux Local Security Checks	high
151503	Scientific Linux Security Update : xstream on SL7.x (noarch) (2021:2683)	Nessus	Scientific Linux Local Security Checks	high
151493	RHEL 7 : xstream (RHSA-2021:2683)	Nessus	Red Hat Local Security Checks	high
151373	Debian DLA-2704-1 : libxstream-java - LTS security update	Nessus	Debian Local Security Checks	high
151061	openSUSE 15 Security Update : xstream (openSUSE-SU-2021:0911-1)	Nessus	SuSE Local Security Checks	high
150898	SUSE SLED15 / SLES15 Security Update : xstream (SUSE-SU-2021:1995-1)	Nessus	SuSE Local Security Checks	high

Detections

Analytics

CVE-2021-29505

high

Tenable Plugins

critical

high

high

high

critical

critical

high

high

high

high

high

high

high

high

high

high