XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.

The remote Ubuntu 16.04 ESM / 18.04 LTS / 20.04 LTS / 22.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-5946-1 advisory.

  - XStream is a simple library to serialize objects to XML and back again. In affected versions this     vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by     manipulating the processed input stream. A user is only affected if using the version out of the box with     JDK 1.7u21 or below. However, this scenario can be adjusted easily to an external Xalan that works     regardless of the version of the Java runtime. No user is affected, who followed the recommendation to     setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18     uses no longer a blacklist by default, since it cannot be secured for general purpose. (CVE-2021-39139)

  - XStream is a simple library to serialize objects to XML and back again. In affected versions this     vulnerability may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU     type or parallel execution of such a payload resulting in a denial of service only by manipulating the     processed input stream. No user is affected, who followed the recommendation to setup XStream's security     framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a     blacklist by default, since it cannot be secured for general purpose. (CVE-2021-39140)

  - XStream is a simple library to serialize objects to XML and back again. In affected versions this     vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by     manipulating the processed input stream. No user is affected, who followed the recommendation to setup     XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses     no longer a blacklist by default, since it cannot be secured for general purpose. (CVE-2021-39141,     CVE-2021-39145, CVE-2021-39146, CVE-2021-39147, CVE-2021-39148, CVE-2021-39149, CVE-2021-39151,     CVE-2021-39154)

  - XStream is a simple library to serialize objects to XML and back again. In affected versions this     vulnerability may allow a remote attacker has sufficient rights to execute commands of the host only by     manipulating the processed input stream. No user is affected, who followed the recommendation to setup     XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses     no longer a blacklist by default, since it cannot be secured for general purpose. (CVE-2021-39144)

  - XStream is a simple library to serialize objects to XML and back again. In affected versions this     vulnerability may allow a remote attacker to request data from internal resources that are not publicly     available only by manipulating the processed input stream with a Java runtime version 14 to 8. No user is     affected, who followed the recommendation to setup XStream's security framework with a whitelist limited     to the minimal required types. If you rely on XStream's default blacklist of the [Security     Framework](https://x-stream.github.io/security.html#framework), you will have to use at least version     1.4.18. (CVE-2021-39150, CVE-2021-39152)

  - XStream is a simple library to serialize objects to XML and back again. In affected versions this     vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by     manipulating the processed input stream, if using the version out of the box with Java runtime version 14     to 8 or with JavaFX installed. No user is affected, who followed the recommendation to setup XStream's     security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a     blacklist by default, since it cannot be secured for general purpose. (CVE-2021-39153)

  - XStream serializes Java objects to XML and back again. Versions prior to 1.4.20 may allow a remote     attacker to terminate the application with a stack overflow error, resulting in a denial of service only     via manipulation the processed input stream. The attack uses the hash code implementation for collections     and maps to force recursive hash calculation causing a stack overflow. This issue is patched in version     1.4.20 which handles the stack overflow and raises an InputManipulationException instead. A potential     workaround for users who only use HashMap or HashSet and whose XML refers these only as default map or     set, is to change the default implementation of java.util.Map and java.util per the code example in the     referenced advisory. However, this implies that your application does not care about the implementation of     the map and all elements are comparable. (CVE-2022-41966)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of VMware NSX for vSphere (NSX-V) installed on the remote host is prior to 6.4.14. It is, therefore, affected by multiple vulnerabilities, including:

  - VMware Cloud Foundation contains a remote code execution vulnerability via XStream open source library.
    (CVE-2021-39144)   
  - VMware Cloud Foundation contains an XML External Entity (XXE) vulnerability. (CVE-2022-31678)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number. Nessus has also not tested for the presence of a workaround.

The version of xstream installed on the remote host is prior to 1.3.1-16. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2021-1729 advisory.

  - XStream is a simple library to serialize objects to XML and back again. In affected versions this     vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by     manipulating the processed input stream. A user is only affected if using the version out of the box with     JDK 1.7u21 or below. However, this scenario can be adjusted easily to an external Xalan that works     regardless of the version of the Java runtime. No user is affected, who followed the recommendation to     setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18     uses no longer a blacklist by default, since it cannot be secured for general purpose. (CVE-2021-39139)

  - XStream is a simple library to serialize objects to XML and back again. In affected versions this     vulnerability may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU     type or parallel execution of such a payload resulting in a denial of service only by manipulating the     processed input stream. No user is affected, who followed the recommendation to setup XStream's security     framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a     blacklist by default, since it cannot be secured for general purpose. (CVE-2021-39140)

  - XStream is a simple library to serialize objects to XML and back again. In affected versions this     vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by     manipulating the processed input stream. No user is affected, who followed the recommendation to setup     XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses     no longer a blacklist by default, since it cannot be secured for general purpose. (CVE-2021-39141,     CVE-2021-39145, CVE-2021-39146, CVE-2021-39147, CVE-2021-39148, CVE-2021-39149, CVE-2021-39151,     CVE-2021-39154)

  - XStream is a simple library to serialize objects to XML and back again. In affected versions this     vulnerability may allow a remote attacker has sufficient rights to execute commands of the host only by     manipulating the processed input stream. No user is affected, who followed the recommendation to setup     XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses     no longer a blacklist by default, since it cannot be secured for general purpose. (CVE-2021-39144)

  - XStream is a simple library to serialize objects to XML and back again. In affected versions this     vulnerability may allow a remote attacker to request data from internal resources that are not publicly     available only by manipulating the processed input stream with a Java runtime version 14 to 8. No user is     affected, who followed the recommendation to setup XStream's security framework with a whitelist limited     to the minimal required types. If you rely on XStream's default blacklist of the [Security     Framework](https://x-stream.github.io/security.html#framework), you will have to use at least version     1.4.18. (CVE-2021-39150, CVE-2021-39152)

  - XStream is a simple library to serialize objects to XML and back again. In affected versions this     vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by     manipulating the processed input stream, if using the version out of the box with Java runtime version 14     to 8 or with JavaFX installed. No user is affected, who followed the recommendation to setup XStream's     security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a     blacklist by default, since it cannot be secured for general purpose. (CVE-2021-39153)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Debian 10 / 11 host has a package installed that is affected by multiple vulnerabilities as referenced in the dsa-5004 advisory.

  - XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16,     there is vulnerability which may allow a remote attacker to allocate 100% CPU time on the target system     depending on CPU type or parallel execution of such a payload resulting in a denial of service only by     manipulating the processed input stream. No user is affected who followed the recommendation to setup     XStream's security framework with a whitelist limited to the minimal required types. If you rely on     XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.
    (CVE-2021-21341)

  - XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16,     there is a vulnerability where the processed stream at unmarshalling time contains type information to     recreate the formerly written objects. XStream creates therefore new instances based on these type     information. An attacker can manipulate the processed input stream and replace or inject objects, that     result in a server-side forgery request. No user is affected, who followed the recommendation to setup     XStream's security framework with a whitelist limited to the minimal required types. If you rely on     XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.
    (CVE-2021-21342)

  - XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16,     there is a vulnerability where the processed stream at unmarshalling time contains type information to     recreate the formerly written objects. XStream creates therefore new instances based on these type     information. An attacker can manipulate the processed input stream and replace or inject objects, that     result in the deletion of a file on the local host. No user is affected, who followed the recommendation     to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely     on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.
    (CVE-2021-21343)

  - XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16,     there is a vulnerability which may allow a remote attacker to load and execute arbitrary code from a     remote host only by manipulating the processed input stream. No user is affected, who followed the     recommendation to setup XStream's security framework with a whitelist limited to the minimal required     types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least     version 1.4.16. (CVE-2021-21344, CVE-2021-21346, CVE-2021-21347)

  - XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16,     there is a vulnerability which may allow a remote attacker who has sufficient rights to execute commands     of the host only by manipulating the processed input stream. No user is affected, who followed the     recommendation to setup XStream's security framework with a whitelist limited to the minimal required     types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least     version 1.4.16. (CVE-2021-21345)

  - XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16,     there is a vulnerability which may allow a remote attacker to occupy a thread that consumes maximum CPU     time and will never return. No user is affected, who followed the recommendation to setup XStream's     security framework with a whitelist limited to the minimal required types. If you rely on XStream's     default blacklist of the Security Framework, you will have to use at least version 1.4.16.
    (CVE-2021-21348)

  - XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16,     there is a vulnerability which may allow a remote attacker to request data from internal resources that     are not publicly available only by manipulating the processed input stream. No user is affected, who     followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal     required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use     at least version 1.4.16. (CVE-2021-21349)

  - XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16,     there is a vulnerability which may allow a remote attacker to execute arbitrary code only by manipulating     the processed input stream. No user is affected, who followed the recommendation to setup XStream's     security framework with a whitelist limited to the minimal required types. If you rely on XStream's     default blacklist of the Security Framework, you will have to use at least version 1.4.16.
    (CVE-2021-21350)

  - XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16,     there is a vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host     only by manipulating the processed input stream. No user is affected, who followed the recommendation to     setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on     XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.
    (CVE-2021-21351)

  - XStream is software for serializing Java objects to XML and back again. A vulnerability in XStream     versions prior to 1.4.17 may allow a remote attacker has sufficient rights to execute commands of the host     only by manipulating the processed input stream. No user who followed the recommendation to setup     XStream's security framework with a whitelist limited to the minimal required types is affected. The     vulnerability is patched in version 1.4.17. (CVE-2021-29505)

  - XStream is a simple library to serialize objects to XML and back again. In affected versions this     vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by     manipulating the processed input stream. A user is only affected if using the version out of the box with     JDK 1.7u21 or below. However, this scenario can be adjusted easily to an external Xalan that works     regardless of the version of the Java runtime. No user is affected, who followed the recommendation to     setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18     uses no longer a blacklist by default, since it cannot be secured for general purpose. (CVE-2021-39139)

  - XStream is a simple library to serialize objects to XML and back again. In affected versions this     vulnerability may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU     type or parallel execution of such a payload resulting in a denial of service only by manipulating the     processed input stream. No user is affected, who followed the recommendation to setup XStream's security     framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a     blacklist by default, since it cannot be secured for general purpose. (CVE-2021-39140)

  - XStream is a simple library to serialize objects to XML and back again. In affected versions this     vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by     manipulating the processed input stream. No user is affected, who followed the recommendation to setup     XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses     no longer a blacklist by default, since it cannot be secured for general purpose. (CVE-2021-39141,     CVE-2021-39145, CVE-2021-39146, CVE-2021-39147, CVE-2021-39148, CVE-2021-39149, CVE-2021-39151,     CVE-2021-39154)

  - XStream is a simple library to serialize objects to XML and back again. In affected versions this     vulnerability may allow a remote attacker has sufficient rights to execute commands of the host only by     manipulating the processed input stream. No user is affected, who followed the recommendation to setup     XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses     no longer a blacklist by default, since it cannot be secured for general purpose. (CVE-2021-39144)

  - XStream is a simple library to serialize objects to XML and back again. In affected versions this     vulnerability may allow a remote attacker to request data from internal resources that are not publicly     available only by manipulating the processed input stream with a Java runtime version 14 to 8. No user is     affected, who followed the recommendation to setup XStream's security framework with a whitelist limited     to the minimal required types. If you rely on XStream's default blacklist of the [Security     Framework](https://x-stream.github.io/security.html#framework), you will have to use at least version     1.4.18. (CVE-2021-39150, CVE-2021-39152)

  - XStream is a simple library to serialize objects to XML and back again. In affected versions this     vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by     manipulating the processed input stream, if using the version out of the box with Java runtime version 14     to 8 or with JavaFX installed. No user is affected, who followed the recommendation to setup XStream's     security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a     blacklist by default, since it cannot be secured for general purpose. (CVE-2021-39153)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SUSE15 host has packages installed that are affected by multiple vulnerabilities as referenced in the openSUSE-SU-2021:1401-1 advisory.

  - XStream is a simple library to serialize objects to XML and back again. In affected versions this     vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by     manipulating the processed input stream. A user is only affected if using the version out of the box with     JDK 1.7u21 or below. However, this scenario can be adjusted easily to an external Xalan that works     regardless of the version of the Java runtime. No user is affected, who followed the recommendation to     setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18     uses no longer a blacklist by default, since it cannot be secured for general purpose. (CVE-2021-39139)

  - XStream is a simple library to serialize objects to XML and back again. In affected versions this     vulnerability may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU     type or parallel execution of such a payload resulting in a denial of service only by manipulating the     processed input stream. No user is affected, who followed the recommendation to setup XStream's security     framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a     blacklist by default, since it cannot be secured for general purpose. (CVE-2021-39140)

  - XStream is a simple library to serialize objects to XML and back again. In affected versions this     vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by     manipulating the processed input stream. No user is affected, who followed the recommendation to setup     XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses     no longer a blacklist by default, since it cannot be secured for general purpose. (CVE-2021-39141,     CVE-2021-39145, CVE-2021-39146, CVE-2021-39147, CVE-2021-39148, CVE-2021-39149, CVE-2021-39151,     CVE-2021-39154)

  - XStream is a simple library to serialize objects to XML and back again. In affected versions this     vulnerability may allow a remote attacker has sufficient rights to execute commands of the host only by     manipulating the processed input stream. No user is affected, who followed the recommendation to setup     XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses     no longer a blacklist by default, since it cannot be secured for general purpose. (CVE-2021-39144)

  - XStream is a simple library to serialize objects to XML and back again. In affected versions this     vulnerability may allow a remote attacker to request data from internal resources that are not publicly     available only by manipulating the processed input stream with a Java runtime version 14 to 8. No user is     affected, who followed the recommendation to setup XStream's security framework with a whitelist limited     to the minimal required types. If you rely on XStream's default blacklist of the [Security     Framework](https://x-stream.github.io/security.html#framework), you will have to use at least version     1.4.18. (CVE-2021-39150, CVE-2021-39152)

  - XStream is a simple library to serialize objects to XML and back again. In affected versions this     vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by     manipulating the processed input stream, if using the version out of the box with Java runtime version 14     to 8 or with JavaFX installed. No user is affected, who followed the recommendation to setup XStream's     security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a     blacklist by default, since it cannot be secured for general purpose. (CVE-2021-39153)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2021-3956 advisory.

  - XStream is a simple library to serialize objects to XML and back again. In affected versions this     vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by     manipulating the processed input stream. A user is only affected if using the version out of the box with     JDK 1.7u21 or below. However, this scenario can be adjusted easily to an external Xalan that works     regardless of the version of the Java runtime. No user is affected, who followed the recommendation to     setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18     uses no longer a blacklist by default, since it cannot be secured for general purpose. (CVE-2021-39139)

  - XStream is a simple library to serialize objects to XML and back again. In affected versions this     vulnerability may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU     type or parallel execution of such a payload resulting in a denial of service only by manipulating the     processed input stream. No user is affected, who followed the recommendation to setup XStream's security     framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a     blacklist by default, since it cannot be secured for general purpose. (CVE-2021-39140)

  - XStream is a simple library to serialize objects to XML and back again. In affected versions this     vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by     manipulating the processed input stream. No user is affected, who followed the recommendation to setup     XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses     no longer a blacklist by default, since it cannot be secured for general purpose. (CVE-2021-39141,     CVE-2021-39145, CVE-2021-39146, CVE-2021-39147, CVE-2021-39148, CVE-2021-39149, CVE-2021-39151,     CVE-2021-39154)

  - XStream is a simple library to serialize objects to XML and back again. In affected versions this     vulnerability may allow a remote attacker to request data from internal resources that are not publicly     available only by manipulating the processed input stream with a Java runtime version 14 to 8. No user is     affected, who followed the recommendation to setup XStream's security framework with a whitelist limited     to the minimal required types. If you rely on XStream's default blacklist of the [Security     Framework](https://x-stream.github.io/security.html#framework), you will have to use at least version     1.4.18. (CVE-2021-39150, CVE-2021-39152)

  - XStream is a simple library to serialize objects to XML and back again. In affected versions this     vulnerability may allow a remote attacker has sufficient rights to execute commands of the host only by     manipulating the processed input stream. No user is affected, who followed the recommendation to setup     XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses     no longer a blacklist by default, since it cannot be secured for general purpose. (CVE-2021-39144)

  - XStream is a simple library to serialize objects to XML and back again. In affected versions this     vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by     manipulating the processed input stream, if using the version out of the box with Java runtime version 14     to 8 or with JavaFX installed. No user is affected, who followed the recommendation to setup XStream's     security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a     blacklist by default, since it cannot be secured for general purpose. (CVE-2021-39153)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2021:3956 advisory.

  - xstream: Arbitrary code execution via unsafe deserialization of Xalan xsltc.trax.TemplatesImpl     (CVE-2021-39139, CVE-2021-39153)

  - xstream: Infinite loop DoS via unsafe deserialization of     sun.reflect.annotation.AnnotationInvocationHandler (CVE-2021-39140)

  - xstream: Arbitrary code execution via unsafe deserialization of com.sun.xml.internal.ws.client.sei.*     (CVE-2021-39141)

  - xstream: Arbitrary code execution via unsafe deserialization of sun.tracing.* (CVE-2021-39144)

  - xstream: Arbitrary code execution via unsafe deserialization of com.sun.jndi.ldap.LdapBindingEnumeration     (CVE-2021-39145, CVE-2021-39151)

  - xstream: Arbitrary code execution via unsafe deserialization of javax.swing.UIDefaults$ProxyLazyValue     (CVE-2021-39146, CVE-2021-39154)

  - xstream: Arbitrary code execution via unsafe deserialization of com.sun.jndi.ldap.LdapSearchEnumeration     (CVE-2021-39147)

  - xstream: Arbitrary code execution via unsafe deserialization of com.sun.jndi.toolkit.dir.ContextEnumerator     (CVE-2021-39148)

  - xstream: Arbitrary code execution via unsafe deserialization of com.sun.corba.* (CVE-2021-39149)

  - xstream: Server-side request forgery (SSRF) via unsafe deserialization of     com.sun.xml.internal.ws.client.sei.* (CVE-2021-39150)

  - xstream: Server-side request forgery (SSRF) via unsafe deserialization of     jdk.nashorn.internal.runtime.Source$URLData (CVE-2021-39152)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Scientific Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the SLSA-2021:3956-1 advisory.

  - xstream: Arbitrary code execution via unsafe deserialization of Xalan xsltc.trax.TemplatesImpl     (CVE-2021-39139, CVE-2021-39153)

  - xstream: Arbitrary code execution via unsafe deserialization of com.sun.xml.internal.ws.client.sei.*     (CVE-2021-39141)

  - xstream: Arbitrary code execution via unsafe deserialization of sun.tracing.* (CVE-2021-39144)

  - xstream: Arbitrary code execution via unsafe deserialization of com.sun.jndi.ldap.LdapBindingEnumeration     (CVE-2021-39145, CVE-2021-39151)

  - xstream: Arbitrary code execution via unsafe deserialization of javax.swing.UIDefaults$ProxyLazyValue     (CVE-2021-39146, CVE-2021-39154)

  - xstream: Arbitrary code execution via unsafe deserialization of com.sun.jndi.ldap.LdapSearchEnumeration     (CVE-2021-39147)

  - xstream: Arbitrary code execution via unsafe deserialization of com.sun.jndi.toolkit.dir.ContextEnumerator     (CVE-2021-39148)

  - xstream: Arbitrary code execution via unsafe deserialization of com.sun.corba.* (CVE-2021-39149)

  - xstream: Server-side request forgery (SSRF) via unsafe deserialization of     com.sun.xml.internal.ws.client.sei.* (CVE-2021-39150)

  - xstream: Server-side request forgery (SSRF) via unsafe deserialization of     jdk.nashorn.internal.runtime.Source$URLData (CVE-2021-39152)

  - xstream: Infinite loop DoS via unsafe deserialization of     sun.reflect.annotation.AnnotationInvocationHandler (CVE-2021-39140)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLED15 / SLES15 host has a package installed that is affected by multiple vulnerabilities as referenced in the SUSE-SU-2021:3476-1 advisory.

  - XStream is a simple library to serialize objects to XML and back again. In affected versions this     vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by     manipulating the processed input stream. A user is only affected if using the version out of the box with     JDK 1.7u21 or below. However, this scenario can be adjusted easily to an external Xalan that works     regardless of the version of the Java runtime. No user is affected, who followed the recommendation to     setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18     uses no longer a blacklist by default, since it cannot be secured for general purpose. (CVE-2021-39139)

  - XStream is a simple library to serialize objects to XML and back again. In affected versions this     vulnerability may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU     type or parallel execution of such a payload resulting in a denial of service only by manipulating the     processed input stream. No user is affected, who followed the recommendation to setup XStream's security     framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a     blacklist by default, since it cannot be secured for general purpose. (CVE-2021-39140)

  - XStream is a simple library to serialize objects to XML and back again. In affected versions this     vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by     manipulating the processed input stream. No user is affected, who followed the recommendation to setup     XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses     no longer a blacklist by default, since it cannot be secured for general purpose. (CVE-2021-39141,     CVE-2021-39145, CVE-2021-39146, CVE-2021-39147, CVE-2021-39148, CVE-2021-39149, CVE-2021-39151,     CVE-2021-39154)

  - XStream is a simple library to serialize objects to XML and back again. In affected versions this     vulnerability may allow a remote attacker has sufficient rights to execute commands of the host only by     manipulating the processed input stream. No user is affected, who followed the recommendation to setup     XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses     no longer a blacklist by default, since it cannot be secured for general purpose. (CVE-2021-39144)

  - XStream is a simple library to serialize objects to XML and back again. In affected versions this     vulnerability may allow a remote attacker to request data from internal resources that are not publicly     available only by manipulating the processed input stream with a Java runtime version 14 to 8. No user is     affected, who followed the recommendation to setup XStream's security framework with a whitelist limited     to the minimal required types. If you rely on XStream's default blacklist of the [Security     Framework](https://x-stream.github.io/security.html#framework), you will have to use at least version     1.4.18. (CVE-2021-39150, CVE-2021-39152)

  - XStream is a simple library to serialize objects to XML and back again. In affected versions this     vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by     manipulating the processed input stream, if using the version out of the box with Java runtime version 14     to 8 or with JavaFX installed. No user is affected, who followed the recommendation to setup XStream's     security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a     blacklist by default, since it cannot be secured for general purpose. (CVE-2021-39153)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SUSE15 host has packages installed that are affected by multiple vulnerabilities as referenced in the openSUSE-SU-2021:3476-1 advisory.

  - XStream is a simple library to serialize objects to XML and back again. In affected versions this     vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by     manipulating the processed input stream. A user is only affected if using the version out of the box with     JDK 1.7u21 or below. However, this scenario can be adjusted easily to an external Xalan that works     regardless of the version of the Java runtime. No user is affected, who followed the recommendation to     setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18     uses no longer a blacklist by default, since it cannot be secured for general purpose. (CVE-2021-39139)

  - XStream is a simple library to serialize objects to XML and back again. In affected versions this     vulnerability may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU     type or parallel execution of such a payload resulting in a denial of service only by manipulating the     processed input stream. No user is affected, who followed the recommendation to setup XStream's security     framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a     blacklist by default, since it cannot be secured for general purpose. (CVE-2021-39140)

  - XStream is a simple library to serialize objects to XML and back again. In affected versions this     vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by     manipulating the processed input stream. No user is affected, who followed the recommendation to setup     XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses     no longer a blacklist by default, since it cannot be secured for general purpose. (CVE-2021-39141,     CVE-2021-39145, CVE-2021-39146, CVE-2021-39147, CVE-2021-39148, CVE-2021-39149, CVE-2021-39151,     CVE-2021-39154)

  - XStream is a simple library to serialize objects to XML and back again. In affected versions this     vulnerability may allow a remote attacker has sufficient rights to execute commands of the host only by     manipulating the processed input stream. No user is affected, who followed the recommendation to setup     XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses     no longer a blacklist by default, since it cannot be secured for general purpose. (CVE-2021-39144)

  - XStream is a simple library to serialize objects to XML and back again. In affected versions this     vulnerability may allow a remote attacker to request data from internal resources that are not publicly     available only by manipulating the processed input stream with a Java runtime version 14 to 8. No user is     affected, who followed the recommendation to setup XStream's security framework with a whitelist limited     to the minimal required types. If you rely on XStream's default blacklist of the [Security     Framework](https://x-stream.github.io/security.html#framework), you will have to use at least version     1.4.18. (CVE-2021-39150, CVE-2021-39152)

  - XStream is a simple library to serialize objects to XML and back again. In affected versions this     vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by     manipulating the processed input stream, if using the version out of the box with Java runtime version 14     to 8 or with JavaFX installed. No user is affected, who followed the recommendation to setup XStream's     security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a     blacklist by default, since it cannot be secured for general purpose. (CVE-2021-39153)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Debian 9 host has a package installed that is affected by multiple vulnerabilities as referenced in the dla-2769 advisory.

  - XStream is a simple library to serialize objects to XML and back again. In affected versions this     vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by     manipulating the processed input stream. A user is only affected if using the version out of the box with     JDK 1.7u21 or below. However, this scenario can be adjusted easily to an external Xalan that works     regardless of the version of the Java runtime. No user is affected, who followed the recommendation to     setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18     uses no longer a blacklist by default, since it cannot be secured for general purpose. (CVE-2021-39139)

  - XStream is a simple library to serialize objects to XML and back again. In affected versions this     vulnerability may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU     type or parallel execution of such a payload resulting in a denial of service only by manipulating the     processed input stream. No user is affected, who followed the recommendation to setup XStream's security     framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a     blacklist by default, since it cannot be secured for general purpose. (CVE-2021-39140)

  - XStream is a simple library to serialize objects to XML and back again. In affected versions this     vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by     manipulating the processed input stream. No user is affected, who followed the recommendation to setup     XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses     no longer a blacklist by default, since it cannot be secured for general purpose. (CVE-2021-39141,     CVE-2021-39145, CVE-2021-39146, CVE-2021-39147, CVE-2021-39148, CVE-2021-39149, CVE-2021-39151,     CVE-2021-39154)

  - XStream is a simple library to serialize objects to XML and back again. In affected versions this     vulnerability may allow a remote attacker has sufficient rights to execute commands of the host only by     manipulating the processed input stream. No user is affected, who followed the recommendation to setup     XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses     no longer a blacklist by default, since it cannot be secured for general purpose. (CVE-2021-39144)

  - XStream is a simple library to serialize objects to XML and back again. In affected versions this     vulnerability may allow a remote attacker to request data from internal resources that are not publicly     available only by manipulating the processed input stream with a Java runtime version 14 to 8. No user is     affected, who followed the recommendation to setup XStream's security framework with a whitelist limited     to the minimal required types. If you rely on XStream's default blacklist of the [Security     Framework](https://x-stream.github.io/security.html#framework), you will have to use at least version     1.4.18. (CVE-2021-39150, CVE-2021-39152)

  - XStream is a simple library to serialize objects to XML and back again. In affected versions this     vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by     manipulating the processed input stream, if using the version out of the box with Java runtime version 14     to 8 or with JavaFX installed. No user is affected, who followed the recommendation to setup XStream's     security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a     blacklist by default, since it cannot be secured for general purpose. (CVE-2021-39153)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
172496	Ubuntu 16.04 ESM / 18.04 LTS / 20.04 LTS / 22.04 LTS : XStream vulnerabilities (USN-5946-1)	Nessus	Ubuntu Local Security Checks	high
166697	VMware NSX for vSphere (NSX-v) < 6.4.14 Multiple Vulnerabilities (VMSA-2022-0027)	Nessus	Misc.	critical
155989	Amazon Linux 2 : xstream (ALAS-2021-1729)	Nessus	Amazon Linux Local Security Checks	high
155294	Debian DSA-5004-1 : libxstream-java - security update	Nessus	Debian Local Security Checks	critical
154764	openSUSE 15 Security Update : xstream (openSUSE-SU-2021:1401-1)	Nessus	SuSE Local Security Checks	high
154433	Oracle Linux 7 : xstream (ELSA-2021-3956)	Nessus	Oracle Linux Local Security Checks	high
154419	RHEL 7 : xstream (RHSA-2021:3956)	Nessus	Red Hat Local Security Checks	high
154412	Scientific Linux Security Update : xstream on SL7.x (noarch) (2021:3956)	Nessus	Scientific Linux Local Security Checks	high
154298	SUSE SLED15 / SLES15 Security Update : xstream (SUSE-SU-2021:3476-1)	Nessus	SuSE Local Security Checks	high
154285	openSUSE 15 Security Update : xstream (openSUSE-SU-2021:3476-1)	Nessus	SuSE Local Security Checks	high
153811	Debian DLA-2769-1 : libxstream-java - LTS security update	Nessus	Debian Local Security Checks	high

Detections

Analytics

CVE-2021-39144

high

Tenable Plugins

high

critical

high

critical

high

high

high

high

high

high

high