Critical Severity

Security Bulletin: XStream (Publicly disclosed vulnerability)

Share this post:

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability where the processed stream at unmarshalling time contains type information to recreate the formerly written objects. XStream creates therefore new instances based on these type information. An attacker can manipulate the processed input stream and replace or inject objects, that result in a server-side forgery request. No user is affected, who followed the recommendation to setup XStream’s security framework with a whitelist limited to the minimal required types. If you rely on XStream’s default blacklist of the Security Framework, you will have to use at least version 1.4.16.

CVE(s): CVE-2021-21342, CVE-2021-21350, CVE-2021-21346, CVE-2021-21349, CVE-2021-21341, CVE-2021-21345, CVE-2021-21348, CVE-2021-21344, CVE-2021-21347, CVE-2021-21343, CVE-2021-21351

Affected product(s) and affected version(s):

Affected Product(s) Version(s)
ITNCM 6.4.2

Refer to the following reference URLs for remediation and additional vulnerability details:  
Source Bulletin: https://www.ibm.com/support/pages/node/6483059
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/198619
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/198627
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/198623
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/198626
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/198618
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/198622
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/198625
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/198621
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/198624
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/198620
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/198628

More stories

Security Bulletin: Multiple Security Vulnerabilities Have been addressed in IBM Security Access Manager

Oct 15, 2021 8:00 pm EDT | Critical Severity

Multiple Security Vulnerabilities have been fixed in the IBM Security Access Manager (ISAM) version 9.0.7.2 ...read more


Security Bulletin: Cloud Pak for Security is vulnerable to several CVEs

Oct 14, 2021 8:01 pm EDT | Critical Severity

Cloud Pak for Security (CP4S) v1.7.2.0 and earlier uses packages that are vulnerable to several CVEs. These issues have been addressed in an update. See the Fixes section below for instructions. ...read more


Security Bulletin: IBM Cognos Analytics with Watson 11.2.1 has addressed multiple vulnerabilities

Oct 14, 2021 8:00 pm EDT | Critical Severity

Security vulnerabilities have been addressed in IBM Cognos Analytics with Watson 11.2.1 ...read more