CVE-2021-39139

Q: What is the severity of CVE-2021-39139?

CVE-2021-39139 has a CVSS score of 8.5 (HIGH). CVE-2021-39139 is a remote code execution vulnerability in XStream library that allows attackers to execute arbitrary code by manipulating XML input streams. Users are affected if they use XStream out-of-the-box with JDK 1.7u21 or below, or with external Xalan configurations. Users who implemented XStream's security framework with proper type whitelists are not vulnerable.

8.5 HIGH

Remote Code Execution Deserialization

📋 TL;DR

CVE-2021-39139 is a remote code execution vulnerability in XStream library that allows attackers to execute arbitrary code by manipulating XML input streams. Users are affected if they use XStream out-of-the-box with JDK 1.7u21 or below, or with external Xalan configurations. Users who implemented XStream's security framework with proper type whitelists are not vulnerable.

💻 Affected Systems

Products:

XStream

Versions: All versions before 1.4.18

Operating Systems: All platforms running Java

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerable by default in versions before 1.4.18. Users with JDK 1.7u21 or below are particularly vulnerable, but external Xalan configurations can bypass JDK version restrictions.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing remote code execution, data theft, and lateral movement within the network.

🟠

Likely Case

Remote code execution leading to application compromise, data exfiltration, and potential ransomware deployment.

🟢

If Mitigated

No impact if proper security framework with minimal type whitelist is implemented.

🌐 Internet-Facing: HIGH - Remote exploitation without authentication possible on exposed endpoints.

🏢 Internal Only: MEDIUM - Requires attacker access to internal systems but can lead to lateral movement.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending malicious XML input to XStream endpoints. Public proof-of-concept code exists in security advisories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.4.18

Vendor Advisory: https://github.com/x-stream/xstream/security/advisories/GHSA-64xx-cq4q-mf44

Restart Required: Yes

Instructions:

1. Update XStream dependency to version 1.4.18 or later. 2. Update pom.xml or build.gradle to use latest version. 3. Restart application. 4. Verify security framework is properly configured.

🔧 Temporary Workarounds

Implement XStream Security Framework

all

Configure XStream with a minimal type whitelist to prevent deserialization of dangerous classes

XStream xstream = new XStream();
xstream.allowTypes(new Class[]{MySafeClass1.class, MySafeClass2.class});

🧯 If You Can't Patch

Implement strict input validation and sanitization for all XML inputs
Deploy network segmentation and WAF rules to block malicious XML payloads

🔍 How to Verify

Check if Vulnerable:

Check XStream version in dependencies: grep -r "xstream" pom.xml build.gradle *.jar

Check Version:

java -cp xstream-*.jar com.thoughtworks.xstream.XStream --version

Verify Fix Applied:

Verify XStream version is 1.4.18 or higher and security framework is configured with type whitelist

📡 Detection & Monitoring

Log Indicators:

Unusual XML parsing errors
Attempts to deserialize unexpected classes
Outbound connections to unknown hosts after XML processing

Network Indicators:

Malformed XML payloads in HTTP requests
Suspicious Java class names in XML content

SIEM Query:

source="application.logs" AND ("XStream" OR "deserialization") AND ("error" OR "exception")

📊 Metadata

CVE ID: CVE-2021-39139

CVSS v3 Score: 8.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-434

Published: August 23, 2021

Last Updated: May 23, 2025

🔗 References

https://github.com/x-stream/xstream/security/advisories/GHSA-64xx-cq4q-mf44 Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/09/msg00017.html Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/ Mailing List
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/ Mailing List
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/ Mailing List
https://security.netapp.com/advisory/ntap-20210923-0003/ Third Party Advisory
https://www.debian.org/security/2021/dsa-5004 Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html Patch,Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.html Patch,Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.html Patch,Third Party Advisory
https://x-stream.github.io/CVE-2021-39139.html Vendor Advisory
https://github.com/x-stream/xstream/security/advisories/GHSA-64xx-cq4q-mf44 Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/09/msg00017.html Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/ Mailing List
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/ Mailing List
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/ Mailing List
https://security.netapp.com/advisory/ntap-20210923-0003/ Third Party Advisory
https://www.debian.org/security/2021/dsa-5004 Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html Patch,Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.html Patch,Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.html Patch,Third Party Advisory
https://x-stream.github.io/CVE-2021-39139.html Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Business Activity Monitoring by Oracle

Commerce Guided Search by Oracle

Communications Billing And Revenue Management Elastic Charging Engine by Oracle

Communications Billing And Revenue Management Elastic Charging Engine by Oracle

Communications Cloud Native Core Automated Test Suite by Oracle

Communications Cloud Native Core Binding Support Function by Oracle

Communications Cloud Native Core Policy by Oracle

Communications Unified Inventory Management by Oracle

Communications Unified Inventory Management by Oracle

Communications Unified Inventory Management by Oracle

Communications Unified Inventory Management by Oracle

Communications Unified Inventory Management by Oracle

Debian Linux by Debian

Debian Linux by Debian

Debian Linux by Debian

Fedora by Fedoraproject

Fedora by Fedoraproject

Fedora by Fedoraproject

Retail Xstore Point Of Service by Oracle

Retail Xstore Point Of Service by Oracle

Retail Xstore Point Of Service by Oracle

Retail Xstore Point Of Service by Oracle

Retail Xstore Point Of Service by Oracle

Snapmanager by Netapp

Snapmanager by Netapp

Utilities Framework by Oracle

Utilities Framework by Oracle

Utilities Framework by Oracle

Utilities Framework by Oracle

Utilities Framework by Oracle

Utilities Framework by Oracle

Utilities Framework by Oracle

Utilities Testing Accelerator by Oracle

Webcenter Portal by Oracle

Webcenter Portal by Oracle

Xstream by Xstream

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Implement XStream Security Framework

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities