CVE-2021-39144

Q: What is the severity of CVE-2021-39144?

CVE-2021-39144 has a CVSS score of 8.5 (HIGH). CVE-2021-39144 is a remote code execution vulnerability in XStream library versions before 1.4.18. Attackers with sufficient privileges can execute arbitrary commands on the host by manipulating XML input streams. Only users who haven't implemented XStream's security framework with a minimal type whitelist are affected.

8.5 HIGH

Remote Code Execution Deserialization

📋 TL;DR

CVE-2021-39144 is a remote code execution vulnerability in XStream library versions before 1.4.18. Attackers with sufficient privileges can execute arbitrary commands on the host by manipulating XML input streams. Only users who haven't implemented XStream's security framework with a minimal type whitelist are affected.

💻 Affected Systems

Products:

XStream
VMware NSX Manager
Other applications using XStream library

Versions: XStream versions before 1.4.18

Operating Systems: All operating systems running Java applications

Default Config Vulnerable: ⚠️ Yes

Notes: Default configurations are vulnerable. Only applications that implemented XStream's security framework with minimal type whitelist are protected.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with attacker gaining complete control over the vulnerable server, allowing data theft, lateral movement, and persistent backdoor installation.

🟠

Likely Case

Remote code execution leading to application compromise, data exfiltration, and potential pivot to other internal systems.

🟢

If Mitigated

No impact if proper security framework with minimal whitelist is configured as recommended.

🌐 Internet-Facing: HIGH - Internet-facing applications using vulnerable XStream versions are directly exposed to remote exploitation.

🏢 Internal Only: MEDIUM - Internal applications are still vulnerable but require attacker to have internal network access.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public exploit code exists and has been used in real attacks. Exploitation requires the attacker to be able to send malicious XML input to the vulnerable application.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: XStream 1.4.18

Vendor Advisory: https://github.com/x-stream/xstream/security/advisories/GHSA-j9h8-phrw-h4fh

Restart Required: Yes

Instructions:

1. Update XStream dependency to version 1.4.18 or later. 2. For Maven projects: update pom.xml to <version>1.4.18</version>. 3. For Gradle projects: update build.gradle to implementation 'com.thoughtworks.xstream:xstream:1.4.18'. 4. Rebuild and redeploy application. 5. Restart application server.

🔧 Temporary Workarounds

Implement XStream Security Framework

all

Configure XStream with a minimal type whitelist to prevent deserialization of dangerous classes

XStream xstream = new XStream();
xstream.allowTypes(new Class[]{MyClass1.class, MyClass2.class});

🧯 If You Can't Patch

Implement strict input validation and sanitization for all XML input
Deploy network segmentation and restrict access to vulnerable applications

🔍 How to Verify

Check if Vulnerable:

Check application dependencies for XStream version <1.4.18. For Java applications: check pom.xml, build.gradle, or lib directory for xstream JAR files.

Check Version:

For Maven: mvn dependency:tree | grep xstream. For deployed JAR: java -cp xstream-*.jar com.thoughtworks.xstream.XStream --version

Verify Fix Applied:

Verify XStream version is 1.4.18 or higher in dependencies. Test application with known malicious XML payloads to ensure they're rejected.

📡 Detection & Monitoring

Log Indicators:

Unusual XML parsing errors
Java class loading exceptions for unexpected classes
Process execution from application context

Network Indicators:

Malformed XML payloads in HTTP requests
Unusual outbound connections from application server

SIEM Query:

source="application.logs" AND ("XStream" OR "deserialization") AND ("error" OR "exception" OR "ClassNotFoundException")

📊 Metadata

CVE ID: CVE-2021-39144

CVSS v3 Score: 8.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-94

Published: August 23, 2021

Last Updated: October 24, 2025

🔗 References

http://packetstormsecurity.com/files/169859/VMware-NSX-Manager-XStream-Unauthenticated-Remote-Code-Execution.html Exploit,Third Party Advisory,VDB Entry
https://github.com/x-stream/xstream/security/advisories/GHSA-j9h8-phrw-h4fh Vendor Advisory
https://lists.debian.org/debian-lts-announce/2021/09/msg00017.html Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/ Broken Link,Mailing List,Release Notes
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/ Broken Link,Mailing List,Release Notes
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/ Broken Link,Mailing List,Release Notes
https://security.netapp.com/advisory/ntap-20210923-0003/ Third Party Advisory
https://www.debian.org/security/2021/dsa-5004 Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html Patch,Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.html Patch,Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.html Patch,Third Party Advisory
https://x-stream.github.io/CVE-2021-39144.html Exploit,Vendor Advisory
http://packetstormsecurity.com/files/169859/VMware-NSX-Manager-XStream-Unauthenticated-Remote-Code-Execution.html Exploit,Third Party Advisory,VDB Entry
https://github.com/x-stream/xstream/security/advisories/GHSA-j9h8-phrw-h4fh Vendor Advisory
https://lists.debian.org/debian-lts-announce/2021/09/msg00017.html Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/ Broken Link,Mailing List,Release Notes
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/ Broken Link,Mailing List,Release Notes
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/ Broken Link,Mailing List,Release Notes
https://security.netapp.com/advisory/ntap-20210923-0003/ Third Party Advisory
https://www.debian.org/security/2021/dsa-5004 Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html Patch,Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.html Patch,Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.html Patch,Third Party Advisory
https://x-stream.github.io/CVE-2021-39144.html Exploit,Vendor Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-39144 US Government Resource

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Business Activity Monitoring by Oracle

Commerce Guided Search by Oracle

Communications Billing And Revenue Management Elastic Charging Engine by Oracle

Communications Billing And Revenue Management Elastic Charging Engine by Oracle

Communications Cloud Native Core Automated Test Suite by Oracle

Communications Cloud Native Core Binding Support Function by Oracle

Communications Cloud Native Core Policy by Oracle

Communications Unified Inventory Management by Oracle

Communications Unified Inventory Management by Oracle

Communications Unified Inventory Management by Oracle

Communications Unified Inventory Management by Oracle

Communications Unified Inventory Management by Oracle

Debian Linux by Debian

Debian Linux by Debian

Debian Linux by Debian

Fedora by Fedoraproject

Fedora by Fedoraproject

Fedora by Fedoraproject

Retail Xstore Point Of Service by Oracle

Retail Xstore Point Of Service by Oracle

Retail Xstore Point Of Service by Oracle

Retail Xstore Point Of Service by Oracle

Retail Xstore Point Of Service by Oracle

Snapmanager by Netapp

Snapmanager by Netapp

Utilities Framework by Oracle

Utilities Framework by Oracle

Utilities Framework by Oracle

Utilities Framework by Oracle

Utilities Framework by Oracle

Utilities Framework by Oracle

Utilities Framework by Oracle

Utilities Testing Accelerator by Oracle

Webcenter Portal by Oracle

Webcenter Portal by Oracle

Xstream by Xstream

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Implement XStream Security Framework

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities