Recently, NSFOCUS found that XStream released security advisories disclosing 14 security vulnerabilities in its products. An attacker could exploit these vulnerabilities to conduct a DoS, server-side request forgery (SSRF), or remote code execution (RCE) attack.
XStream is a tool to serialize Java objects to XML and back again. When serializing JavaBeans or deserializing XML files, it does not require other auxiliary classes and mapping files, which makes XML serialization no longer cumbersome.
An attacker can manipulate the processed input stream and replace or inject an object, which can cause an endless loop resulting in a denial of service.
An attacker can manipulate the processed input stream and replace or inject objects, thus resulting in remote command execution on the server.
CVE-2021-39139, CVE-2021-39141, CVE-2021-39145, CVE-2021-39146, CVE-2021-39147, CVE-2021-39148, CVE-2021-39149, CVE-2021-39151, CVE-2021-39153, and CVE-2021-39154
An attacker can manipulate the processed input stream and replace or inject objects, thus resulting in execution of arbitrary code loaded from a remote server.
An attacker can manipulate the processed input stream and replace or inject objects, resulting in a SSRF.
Reference link: https://x-stream.github.io/security.html#workaround
Scope of Impact
- Xstream <= 1.4.17
- Xstream = 1.4.18
1。 Official Fix
Currently, this vulnerability has been fixed in the latest version by using XStream’s security framework to implement a whitelist for the allowed types. If you are affected by this vulnerability, please upgrade your installation as soon as possible via https://x-stream.github.io/download.html.
If it is impossible to upgrade currently, users can take the following mitigation measures by referring to the official link:
NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks. The company’s Intelligent Hybrid Security strategy utilizes both cloud and on-premises security platforms, built on a foundation of real-time global threat intelligence, to provide multi-layered, unified and dynamic protection against advanced cyber attacks.
NSFOCUS works with Fortune Global 500 companies, including four of the world’s five largest financial institutions, organizations in insurance, retail, healthcare, critical infrastructure industries as well as government agencies. NSFOCUS has technology and channel partners in more than 60 countries, is a member of both the Microsoft Active Protections Program (MAPP), and the Cloud Security Alliance (CSA). A wholly owned subsidiary of NSFOCUS Technologies Group Co., Ltd., the company has operations in the Americas, Europe, the Middle East and Asia Pacific