XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.

The remote Ubuntu 16.04 ESM / 18.04 LTS / 20.04 LTS / 22.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-5946-1 advisory.

    Lai Han discovered that XStream incorrectly handled certain inputs. If a user or an automated system were     tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to     cause a denial of service. This issue only affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS.
    (CVE-2021-39140)

    It was discovered that XStream incorrectly handled certain inputs. If a user or an automated system were     tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to     execute arbitrary code. This issue only affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. (CVE-2021-39139,     CVE-2021-39141, CVE-2021-39144, CVE-2021-39145, CVE-2021-39146, CVE-2021-39147, CVE-2021-39148,     CVE-2021-39149, CVE-2021-39151, CVE-2021-39153, CVE-2021-39154)

    It was discovered that XStream incorrectly handled certain inputs. If a user or an automated system were     tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to     obtain sensitive information. This issue only affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS.
    (CVE-2021-39150, CVE-2021-39152)

    Lai Han discovered that XStream incorrectly handled certain inputs. If a user or an automated system were     tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to     cause a denial of service. (CVE-2022-41966)

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of xstream installed on the remote host is prior to 1.3.1-16. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2021-1729 advisory.

  - XStream is a simple library to serialize objects to XML and back again. In affected versions this     vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by     manipulating the processed input stream. A user is only affected if using the version out of the box with     JDK 1.7u21 or below. However, this scenario can be adjusted easily to an external Xalan that works     regardless of the version of the Java runtime. No user is affected, who followed the recommendation to     setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18     uses no longer a blacklist by default, since it cannot be secured for general purpose. (CVE-2021-39139)

  - XStream is a simple library to serialize objects to XML and back again. In affected versions this     vulnerability may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU     type or parallel execution of such a payload resulting in a denial of service only by manipulating the     processed input stream. No user is affected, who followed the recommendation to setup XStream's security     framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a     blacklist by default, since it cannot be secured for general purpose. (CVE-2021-39140)

  - XStream is a simple library to serialize objects to XML and back again. In affected versions this     vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by     manipulating the processed input stream. No user is affected, who followed the recommendation to setup     XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses     no longer a blacklist by default, since it cannot be secured for general purpose. (CVE-2021-39141,     CVE-2021-39145, CVE-2021-39146, CVE-2021-39147, CVE-2021-39148, CVE-2021-39149, CVE-2021-39151,     CVE-2021-39154)

  - XStream is a simple library to serialize objects to XML and back again. In affected versions this     vulnerability may allow a remote attacker has sufficient rights to execute commands of the host only by     manipulating the processed input stream. No user is affected, who followed the recommendation to setup     XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses     no longer a blacklist by default, since it cannot be secured for general purpose. (CVE-2021-39144)

  - XStream is a simple library to serialize objects to XML and back again. In affected versions this     vulnerability may allow a remote attacker to request data from internal resources that are not publicly     available only by manipulating the processed input stream with a Java runtime version 14 to 8. No user is     affected, who followed the recommendation to setup XStream's security framework with a whitelist limited     to the minimal required types. If you rely on XStream's default blacklist of the [Security     Framework](https://x-stream.github.io/security.html#framework), you will have to use at least version     1.4.18. (CVE-2021-39150, CVE-2021-39152)

  - XStream is a simple library to serialize objects to XML and back again. In affected versions this     vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by     manipulating the processed input stream, if using the version out of the box with Java runtime version 14     to 8 or with JavaFX installed. No user is affected, who followed the recommendation to setup XStream's     security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a     blacklist by default, since it cannot be secured for general purpose. (CVE-2021-39153)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Debian 10 / 11 host has a package installed that is affected by multiple vulnerabilities as referenced in the dsa-5004 advisory.

  - XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16,     there is vulnerability which may allow a remote attacker to allocate 100% CPU time on the target system     depending on CPU type or parallel execution of such a payload resulting in a denial of service only by     manipulating the processed input stream. No user is affected who followed the recommendation to setup     XStream's security framework with a whitelist limited to the minimal required types. If you rely on     XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.
    (CVE-2021-21341)

  - XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16,     there is a vulnerability where the processed stream at unmarshalling time contains type information to     recreate the formerly written objects. XStream creates therefore new instances based on these type     information. An attacker can manipulate the processed input stream and replace or inject objects, that     result in a server-side forgery request. No user is affected, who followed the recommendation to setup     XStream's security framework with a whitelist limited to the minimal required types. If you rely on     XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.
    (CVE-2021-21342)

  - XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16,     there is a vulnerability where the processed stream at unmarshalling time contains type information to     recreate the formerly written objects. XStream creates therefore new instances based on these type     information. An attacker can manipulate the processed input stream and replace or inject objects, that     result in the deletion of a file on the local host. No user is affected, who followed the recommendation     to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely     on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.
    (CVE-2021-21343)

  - XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16,     there is a vulnerability which may allow a remote attacker to load and execute arbitrary code from a     remote host only by manipulating the processed input stream. No user is affected, who followed the     recommendation to setup XStream's security framework with a whitelist limited to the minimal required     types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least     version 1.4.16. (CVE-2021-21344, CVE-2021-21346, CVE-2021-21347)

  - XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16,     there is a vulnerability which may allow a remote attacker who has sufficient rights to execute commands     of the host only by manipulating the processed input stream. No user is affected, who followed the     recommendation to setup XStream's security framework with a whitelist limited to the minimal required     types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least     version 1.4.16. (CVE-2021-21345)

  - XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16,     there is a vulnerability which may allow a remote attacker to occupy a thread that consumes maximum CPU     time and will never return. No user is affected, who followed the recommendation to setup XStream's     security framework with a whitelist limited to the minimal required types. If you rely on XStream's     default blacklist of the Security Framework, you will have to use at least version 1.4.16.
    (CVE-2021-21348)

  - XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16,     there is a vulnerability which may allow a remote attacker to request data from internal resources that     are not publicly available only by manipulating the processed input stream. No user is affected, who     followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal     required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use     at least version 1.4.16. (CVE-2021-21349)

  - XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16,     there is a vulnerability which may allow a remote attacker to execute arbitrary code only by manipulating     the processed input stream. No user is affected, who followed the recommendation to setup XStream's     security framework with a whitelist limited to the minimal required types. If you rely on XStream's     default blacklist of the Security Framework, you will have to use at least version 1.4.16.
    (CVE-2021-21350)

  - XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16,     there is a vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host     only by manipulating the processed input stream. No user is affected, who followed the recommendation to     setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on     XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.
    (CVE-2021-21351)

  - XStream is software for serializing Java objects to XML and back again. A vulnerability in XStream     versions prior to 1.4.17 may allow a remote attacker has sufficient rights to execute commands of the host     only by manipulating the processed input stream. No user who followed the recommendation to setup     XStream's security framework with a whitelist limited to the minimal required types is affected. The     vulnerability is patched in version 1.4.17. (CVE-2021-29505)

  - XStream is a simple library to serialize objects to XML and back again. In affected versions this     vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by     manipulating the processed input stream. A user is only affected if using the version out of the box with     JDK 1.7u21 or below. However, this scenario can be adjusted easily to an external Xalan that works     regardless of the version of the Java runtime. No user is affected, who followed the recommendation to     setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18     uses no longer a blacklist by default, since it cannot be secured for general purpose. (CVE-2021-39139)

  - XStream is a simple library to serialize objects to XML and back again. In affected versions this     vulnerability may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU     type or parallel execution of such a payload resulting in a denial of service only by manipulating the     processed input stream. No user is affected, who followed the recommendation to setup XStream's security     framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a     blacklist by default, since it cannot be secured for general purpose. (CVE-2021-39140)

  - XStream is a simple library to serialize objects to XML and back again. In affected versions this     vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by     manipulating the processed input stream. No user is affected, who followed the recommendation to setup     XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses     no longer a blacklist by default, since it cannot be secured for general purpose. (CVE-2021-39141,     CVE-2021-39145, CVE-2021-39146, CVE-2021-39147, CVE-2021-39148, CVE-2021-39149, CVE-2021-39151,     CVE-2021-39154)

  - XStream is a simple library to serialize objects to XML and back again. In affected versions this     vulnerability may allow a remote attacker has sufficient rights to execute commands of the host only by     manipulating the processed input stream. No user is affected, who followed the recommendation to setup     XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses     no longer a blacklist by default, since it cannot be secured for general purpose. (CVE-2021-39144)

  - XStream is a simple library to serialize objects to XML and back again. In affected versions this     vulnerability may allow a remote attacker to request data from internal resources that are not publicly     available only by manipulating the processed input stream with a Java runtime version 14 to 8. No user is     affected, who followed the recommendation to setup XStream's security framework with a whitelist limited     to the minimal required types. If you rely on XStream's default blacklist of the [Security     Framework](https://x-stream.github.io/security.html#framework), you will have to use at least version     1.4.18. (CVE-2021-39150, CVE-2021-39152)

  - XStream is a simple library to serialize objects to XML and back again. In affected versions this     vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by     manipulating the processed input stream, if using the version out of the box with Java runtime version 14     to 8 or with JavaFX installed. No user is affected, who followed the recommendation to setup XStream's     security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a     blacklist by default, since it cannot be secured for general purpose. (CVE-2021-39153)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SUSE15 host has packages installed that are affected by multiple vulnerabilities as referenced in the openSUSE-SU-2021:1401-1 advisory.

  - XStream is a simple library to serialize objects to XML and back again. In affected versions this     vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by     manipulating the processed input stream. A user is only affected if using the version out of the box with     JDK 1.7u21 or below. However, this scenario can be adjusted easily to an external Xalan that works     regardless of the version of the Java runtime. No user is affected, who followed the recommendation to     setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18     uses no longer a blacklist by default, since it cannot be secured for general purpose. (CVE-2021-39139)

  - XStream is a simple library to serialize objects to XML and back again. In affected versions this     vulnerability may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU     type or parallel execution of such a payload resulting in a denial of service only by manipulating the     processed input stream. No user is affected, who followed the recommendation to setup XStream's security     framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a     blacklist by default, since it cannot be secured for general purpose. (CVE-2021-39140)

  - XStream is a simple library to serialize objects to XML and back again. In affected versions this     vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by     manipulating the processed input stream. No user is affected, who followed the recommendation to setup     XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses     no longer a blacklist by default, since it cannot be secured for general purpose. (CVE-2021-39141,     CVE-2021-39145, CVE-2021-39146, CVE-2021-39147, CVE-2021-39148, CVE-2021-39149, CVE-2021-39151,     CVE-2021-39154)

  - XStream is a simple library to serialize objects to XML and back again. In affected versions this     vulnerability may allow a remote attacker has sufficient rights to execute commands of the host only by     manipulating the processed input stream. No user is affected, who followed the recommendation to setup     XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses     no longer a blacklist by default, since it cannot be secured for general purpose. (CVE-2021-39144)

  - XStream is a simple library to serialize objects to XML and back again. In affected versions this     vulnerability may allow a remote attacker to request data from internal resources that are not publicly     available only by manipulating the processed input stream with a Java runtime version 14 to 8. No user is     affected, who followed the recommendation to setup XStream's security framework with a whitelist limited     to the minimal required types. If you rely on XStream's default blacklist of the [Security     Framework](https://x-stream.github.io/security.html#framework), you will have to use at least version     1.4.18. (CVE-2021-39150, CVE-2021-39152)

  - XStream is a simple library to serialize objects to XML and back again. In affected versions this     vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by     manipulating the processed input stream, if using the version out of the box with Java runtime version 14     to 8 or with JavaFX installed. No user is affected, who followed the recommendation to setup XStream's     security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a     blacklist by default, since it cannot be secured for general purpose. (CVE-2021-39153)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2021-3956 advisory.

    - Resolves: CVE-2021-39148
    - Resolves: CVE-2021-39139
    - Resolves: CVE-2021-39140
    - Resolves: CVE-2021-39141
    - Resolves: CVE-2021-39144
    - Resolves: CVE-2021-39145
    - Resolves: CVE-2021-39146
    - Resolves: CVE-2021-39147
    - Resolves: CVE-2021-39148
    - Resolves: CVE-2021-39149
    - Resolves: CVE-2021-39150
    - Resolves: CVE-2021-39151
    - Resolves: CVE-2021-39152
    - Resolves: CVE-2021-39153
    - Resolves: CVE-2021-39154
    - Resolves: CVE-2021-29505
    - Resolves: CVE-2021-21344
    - Resolves: CVE-2021-21345
    - Resolves: CVE-2021-21346
    - Resolves: CVE-2021-21347
    - Resolves: CVE-2021-21350
    - Resolves: CVE-2020-26217
    - Resolves: CVE-2013-7285
    - Resolves: CVE-2013-1571

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2021:3956 advisory.

    XStream is a Java XML serialization library to serialize objects to and deserialize object from XML.

    Security Fix(es):

    * xstream: Arbitrary code execution via unsafe deserialization of Xalan xsltc.trax.TemplatesImpl     (CVE-2021-39139)

    * xstream: Arbitrary code execution via unsafe deserialization of com.sun.xml.internal.ws.client.sei.*     (CVE-2021-39141)

    * xstream: Arbitrary code execution via unsafe deserialization of sun.tracing.* (CVE-2021-39144)

    * xstream: Arbitrary code execution via unsafe deserialization of com.sun.jndi.ldap.LdapBindingEnumeration     (CVE-2021-39145)

    * xstream: Arbitrary code execution via unsafe deserialization of javax.swing.UIDefaults$ProxyLazyValue     (CVE-2021-39146)

    * xstream: Arbitrary code execution via unsafe deserialization of com.sun.jndi.ldap.LdapSearchEnumeration     (CVE-2021-39147)

    * xstream: Arbitrary code execution via unsafe deserialization of     com.sun.jndi.toolkit.dir.ContextEnumerator (CVE-2021-39148)

    * xstream: Arbitrary code execution via unsafe deserialization of com.sun.corba.* (CVE-2021-39149)

    * xstream: Server-side request forgery (SSRF) via unsafe deserialization of     com.sun.xml.internal.ws.client.sei.* (CVE-2021-39150)

    * xstream: Arbitrary code execution via unsafe deserialization of com.sun.jndi.ldap.LdapBindingEnumeration     (CVE-2021-39151)

    * xstream: Server-side request forgery (SSRF) via unsafe deserialization of     jdk.nashorn.internal.runtime.Source$URLData (CVE-2021-39152)

    * xstream: Arbitrary code execution via unsafe deserialization of Xalan xsltc.trax.TemplatesImpl     (CVE-2021-39153)

    * xstream: Arbitrary code execution via unsafe deserialization of javax.swing.UIDefaults$ProxyLazyValue     (CVE-2021-39154)

    * xstream: Infinite loop DoS via unsafe deserialization of     sun.reflect.annotation.AnnotationInvocationHandler (CVE-2021-39140)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Scientific Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the SLSA-2021:3956-1 advisory.

  - xstream: Arbitrary code execution via unsafe deserialization of Xalan xsltc.trax.TemplatesImpl     (CVE-2021-39139, CVE-2021-39153)

  - xstream: Arbitrary code execution via unsafe deserialization of com.sun.xml.internal.ws.client.sei.*     (CVE-2021-39141)

  - xstream: Arbitrary code execution via unsafe deserialization of sun.tracing.* (CVE-2021-39144)

  - xstream: Arbitrary code execution via unsafe deserialization of com.sun.jndi.ldap.LdapBindingEnumeration     (CVE-2021-39145, CVE-2021-39151)

  - xstream: Arbitrary code execution via unsafe deserialization of javax.swing.UIDefaults$ProxyLazyValue     (CVE-2021-39146, CVE-2021-39154)

  - xstream: Arbitrary code execution via unsafe deserialization of com.sun.jndi.ldap.LdapSearchEnumeration     (CVE-2021-39147)

  - xstream: Arbitrary code execution via unsafe deserialization of com.sun.jndi.toolkit.dir.ContextEnumerator     (CVE-2021-39148)

  - xstream: Arbitrary code execution via unsafe deserialization of com.sun.corba.* (CVE-2021-39149)

  - xstream: Server-side request forgery (SSRF) via unsafe deserialization of     com.sun.xml.internal.ws.client.sei.* (CVE-2021-39150)

  - xstream: Server-side request forgery (SSRF) via unsafe deserialization of     jdk.nashorn.internal.runtime.Source$URLData (CVE-2021-39152)

  - xstream: Infinite loop DoS via unsafe deserialization of     sun.reflect.annotation.AnnotationInvocationHandler (CVE-2021-39140)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLED15 / SLES15 host has a package installed that is affected by multiple vulnerabilities as referenced in the SUSE-SU-2021:3476-1 advisory.

  - XStream is a simple library to serialize objects to XML and back again. In affected versions this     vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by     manipulating the processed input stream. A user is only affected if using the version out of the box with     JDK 1.7u21 or below. However, this scenario can be adjusted easily to an external Xalan that works     regardless of the version of the Java runtime. No user is affected, who followed the recommendation to     setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18     uses no longer a blacklist by default, since it cannot be secured for general purpose. (CVE-2021-39139)

  - XStream is a simple library to serialize objects to XML and back again. In affected versions this     vulnerability may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU     type or parallel execution of such a payload resulting in a denial of service only by manipulating the     processed input stream. No user is affected, who followed the recommendation to setup XStream's security     framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a     blacklist by default, since it cannot be secured for general purpose. (CVE-2021-39140)

  - XStream is a simple library to serialize objects to XML and back again. In affected versions this     vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by     manipulating the processed input stream. No user is affected, who followed the recommendation to setup     XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses     no longer a blacklist by default, since it cannot be secured for general purpose. (CVE-2021-39141,     CVE-2021-39145, CVE-2021-39146, CVE-2021-39147, CVE-2021-39148, CVE-2021-39149, CVE-2021-39151,     CVE-2021-39154)

  - XStream is a simple library to serialize objects to XML and back again. In affected versions this     vulnerability may allow a remote attacker has sufficient rights to execute commands of the host only by     manipulating the processed input stream. No user is affected, who followed the recommendation to setup     XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses     no longer a blacklist by default, since it cannot be secured for general purpose. (CVE-2021-39144)

  - XStream is a simple library to serialize objects to XML and back again. In affected versions this     vulnerability may allow a remote attacker to request data from internal resources that are not publicly     available only by manipulating the processed input stream with a Java runtime version 14 to 8. No user is     affected, who followed the recommendation to setup XStream's security framework with a whitelist limited     to the minimal required types. If you rely on XStream's default blacklist of the [Security     Framework](https://x-stream.github.io/security.html#framework), you will have to use at least version     1.4.18. (CVE-2021-39150, CVE-2021-39152)

  - XStream is a simple library to serialize objects to XML and back again. In affected versions this     vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by     manipulating the processed input stream, if using the version out of the box with Java runtime version 14     to 8 or with JavaFX installed. No user is affected, who followed the recommendation to setup XStream's     security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a     blacklist by default, since it cannot be secured for general purpose. (CVE-2021-39153)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SUSE15 host has packages installed that are affected by multiple vulnerabilities as referenced in the openSUSE-SU-2021:3476-1 advisory.

  - XStream is a simple library to serialize objects to XML and back again. In affected versions this     vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by     manipulating the processed input stream. A user is only affected if using the version out of the box with     JDK 1.7u21 or below. However, this scenario can be adjusted easily to an external Xalan that works     regardless of the version of the Java runtime. No user is affected, who followed the recommendation to     setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18     uses no longer a blacklist by default, since it cannot be secured for general purpose. (CVE-2021-39139)

  - XStream is a simple library to serialize objects to XML and back again. In affected versions this     vulnerability may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU     type or parallel execution of such a payload resulting in a denial of service only by manipulating the     processed input stream. No user is affected, who followed the recommendation to setup XStream's security     framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a     blacklist by default, since it cannot be secured for general purpose. (CVE-2021-39140)

  - XStream is a simple library to serialize objects to XML and back again. In affected versions this     vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by     manipulating the processed input stream. No user is affected, who followed the recommendation to setup     XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses     no longer a blacklist by default, since it cannot be secured for general purpose. (CVE-2021-39141,     CVE-2021-39145, CVE-2021-39146, CVE-2021-39147, CVE-2021-39148, CVE-2021-39149, CVE-2021-39151,     CVE-2021-39154)

  - XStream is a simple library to serialize objects to XML and back again. In affected versions this     vulnerability may allow a remote attacker has sufficient rights to execute commands of the host only by     manipulating the processed input stream. No user is affected, who followed the recommendation to setup     XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses     no longer a blacklist by default, since it cannot be secured for general purpose. (CVE-2021-39144)

  - XStream is a simple library to serialize objects to XML and back again. In affected versions this     vulnerability may allow a remote attacker to request data from internal resources that are not publicly     available only by manipulating the processed input stream with a Java runtime version 14 to 8. No user is     affected, who followed the recommendation to setup XStream's security framework with a whitelist limited     to the minimal required types. If you rely on XStream's default blacklist of the [Security     Framework](https://x-stream.github.io/security.html#framework), you will have to use at least version     1.4.18. (CVE-2021-39150, CVE-2021-39152)

  - XStream is a simple library to serialize objects to XML and back again. In affected versions this     vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by     manipulating the processed input stream, if using the version out of the box with Java runtime version 14     to 8 or with JavaFX installed. No user is affected, who followed the recommendation to setup XStream's     security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a     blacklist by default, since it cannot be secured for general purpose. (CVE-2021-39153)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Debian 9 host has a package installed that is affected by multiple vulnerabilities as referenced in the dla-2769 advisory.

  - XStream is a simple library to serialize objects to XML and back again. In affected versions this     vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by     manipulating the processed input stream. A user is only affected if using the version out of the box with     JDK 1.7u21 or below. However, this scenario can be adjusted easily to an external Xalan that works     regardless of the version of the Java runtime. No user is affected, who followed the recommendation to     setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18     uses no longer a blacklist by default, since it cannot be secured for general purpose. (CVE-2021-39139)

  - XStream is a simple library to serialize objects to XML and back again. In affected versions this     vulnerability may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU     type or parallel execution of such a payload resulting in a denial of service only by manipulating the     processed input stream. No user is affected, who followed the recommendation to setup XStream's security     framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a     blacklist by default, since it cannot be secured for general purpose. (CVE-2021-39140)

  - XStream is a simple library to serialize objects to XML and back again. In affected versions this     vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by     manipulating the processed input stream. No user is affected, who followed the recommendation to setup     XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses     no longer a blacklist by default, since it cannot be secured for general purpose. (CVE-2021-39141,     CVE-2021-39145, CVE-2021-39146, CVE-2021-39147, CVE-2021-39148, CVE-2021-39149, CVE-2021-39151,     CVE-2021-39154)

  - XStream is a simple library to serialize objects to XML and back again. In affected versions this     vulnerability may allow a remote attacker has sufficient rights to execute commands of the host only by     manipulating the processed input stream. No user is affected, who followed the recommendation to setup     XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses     no longer a blacklist by default, since it cannot be secured for general purpose. (CVE-2021-39144)

  - XStream is a simple library to serialize objects to XML and back again. In affected versions this     vulnerability may allow a remote attacker to request data from internal resources that are not publicly     available only by manipulating the processed input stream with a Java runtime version 14 to 8. No user is     affected, who followed the recommendation to setup XStream's security framework with a whitelist limited     to the minimal required types. If you rely on XStream's default blacklist of the [Security     Framework](https://x-stream.github.io/security.html#framework), you will have to use at least version     1.4.18. (CVE-2021-39150, CVE-2021-39152)

  - XStream is a simple library to serialize objects to XML and back again. In affected versions this     vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by     manipulating the processed input stream, if using the version out of the box with Java runtime version 14     to 8 or with JavaFX installed. No user is affected, who followed the recommendation to setup XStream's     security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a     blacklist by default, since it cannot be secured for general purpose. (CVE-2021-39153)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
172496	Ubuntu 16.04 ESM / 18.04 LTS / 20.04 LTS / 22.04 LTS : XStream vulnerabilities (USN-5946-1)	Nessus	Ubuntu Local Security Checks	high
155989	Amazon Linux 2 : xstream (ALAS-2021-1729)	Nessus	Amazon Linux Local Security Checks	high
155294	Debian DSA-5004-1 : libxstream-java - security update	Nessus	Debian Local Security Checks	critical
154764	openSUSE 15 Security Update : xstream (openSUSE-SU-2021:1401-1)	Nessus	SuSE Local Security Checks	high
154433	Oracle Linux 7 : xstream (ELSA-2021-3956)	Nessus	Oracle Linux Local Security Checks	high
154419	RHEL 7 : xstream (RHSA-2021:3956)	Nessus	Red Hat Local Security Checks	high
154412	Scientific Linux Security Update : xstream on SL7.x (noarch) (2021:3956)	Nessus	Scientific Linux Local Security Checks	high
154298	SUSE SLED15 / SLES15 Security Update : xstream (SUSE-SU-2021:3476-1)	Nessus	SuSE Local Security Checks	high
154285	openSUSE 15 Security Update : xstream (openSUSE-SU-2021:3476-1)	Nessus	SuSE Local Security Checks	high
153811	Debian DLA-2769-1 : libxstream-java - LTS security update	Nessus	Debian Local Security Checks	high

Detections

Analytics

CVE-2021-39149

high

Tenable Plugins

high

high

critical

high

high

high

high

high

high

high