Service Notices

All Notices > Security Notices > Multiple High-Risk Vulnerabilities in XStream

Multiple High-Risk Vulnerabilities in XStream

Mar 19, 2021 GMT+08:00

I. Overview

XStream has officially released security updates and disclosed multiple high-risk vulnerabilities in versions earlier than 1.4.16. Attackers can exploit these vulnerabilities to perform malicious operations, such as remote code execution, DoS attacks, and arbitrary file deletion. So far, POC has been released. If you are an XStream user, check your system and implement timely security hardening.

For more information about this vulnerability, visit the following website:

XStream official notices

CVE-2021-21341: XStream can cause DoS.

CVE-2021-21342: A server-side forgery request can be activated unmarshalling with XStream to access data streams from an arbitrary URL referencing a resource in an intranet or the local host.

CVE-2021-21343: XStream is vulnerable to an arbitrary file deletion on the local host when unmarshalling as long as the executing process has sufficient rights.

CVE-2021-21344: XStream is vulnerable to an arbitrary code execution attack.

CVE-2021-21345: XStream is vulnerable to a remote command execution attack.

CVE-2021-21346: XStream is vulnerable to an arbitrary code execution attack.

CVE-2021-21347: XStream is vulnerable to an arbitrary code execution attack.

CVE-2021-21348: XStream is vulnerable to an attack using regular expression for a denial of service (ReDos).

CVE-2021-21349: A server-side forgery request can be activated unmarshalling with XStream to access data streams from an arbitrary URL referencing a resource in an intranet or the local host.

CVE-2021-21350: XStream is vulnerable to an arbitrary code execution attack.

CVE-2021-21351: XStream is vulnerable to an arbitrary code execution attack.

II. Severity

Severity: important

(Severity: low, moderate, important, and critical)

III. Affected Products

Affected versions:

XStream earlier than 1.4.16

Secure versions:

XStream 1.4.16

IV. Vulnerability Handling

This vulnerability has been fixed in the latest official version. If your service version falls into the affected range, upgrade it to the latest secure version.

http://x-stream.github.io/download.html

Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.