CVE-2021-21345 Overview
CVE-2021-21345 is a critical insecure deserialization vulnerability in XStream, a popular Java library used to serialize objects to XML and back again. In XStream versions prior to 1.4.16, a remote attacker with sufficient rights can execute arbitrary commands on the host system by manipulating the processed input stream. This vulnerability affects applications that rely on XStream's default blacklist-based security framework rather than implementing a properly configured whitelist limited to minimal required types.
Critical Impact
Remote attackers can achieve arbitrary command execution on vulnerable hosts by exploiting the insecure deserialization of maliciously crafted XML input, potentially leading to complete system compromise.
Affected Products
- XStream versions prior to 1.4.16
- Apache ActiveMQ (versions 5.16.0, 5.16.1, and earlier)
- Apache JMeter
- NetApp OnCommand Insight
- Debian Linux (9.0, 10.0, 11.0)
- Fedora (33, 34, 35)
- Oracle Banking Enterprise Default Management (2.10.0, 2.12.0)
- Oracle Banking Platform (2.4.0, 2.7.1, 2.9.0, 2.12.0)
- Oracle Banking Virtual Account Management (14.2.0, 14.3.0, 14.5.0)
- Oracle Business Activity Monitoring (11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0)
- Oracle Communications Billing and Revenue Management Elastic Charging Engine (12.0.0.3.0)
- Oracle Communications Policy Management (12.5.0)
- Oracle Communications Unified Inventory Management (7.3.2, 7.3.4, 7.3.5, 7.4.0, 7.4.1)
- Oracle PeopleSoft Enterprise PeopleTools (8.58, 8.59)
- Oracle Retail Xstore Point of Service (16.0.6, 17.0.4, 18.0.3, 19.0.2)
- Oracle WebCenter Portal (11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0)
Discovery Timeline
- March 23, 2021 - CVE-2021-21345 published to NVD
- May 23, 2025 - Last updated in NVD database
Technical Details for CVE-2021-21345
Vulnerability Analysis
This vulnerability is classified under CWE-94 (Improper Control of Generation of Code - Code Injection) and CWE-78 (Improper Neutralization of Special Elements used in an OS Command - OS Command Injection). The flaw exists in how XStream deserializes untrusted XML input without adequate type restrictions.
XStream's default security model relies on a blacklist approach to prevent instantiation of dangerous classes during deserialization. However, this approach is fundamentally flawed as attackers can discover new gadget chains or classes that bypass the blacklist restrictions. The vulnerability allows attackers to craft malicious XML payloads that, when processed by vulnerable XStream instances, trigger the instantiation of dangerous objects leading to arbitrary code execution.
The scope change indicated by the vulnerability assessment means that successful exploitation can affect resources beyond the vulnerable component's security scope, potentially compromising the entire host system where the application runs.
Root Cause
The root cause of CVE-2021-21345 lies in XStream's reliance on a blacklist-based security model for controlling which classes can be deserialized. The blacklist approach attempts to block known dangerous classes but fails to account for newly discovered gadget chains or alternative exploitation paths. When applications use XStream's default security framework without implementing a strict whitelist of allowed types, attackers can leverage classes not included in the blacklist to construct exploitation chains that result in command execution.
The library's design allowed for unsafe deserialization of arbitrary object types when the security framework was not properly configured with explicit type allowlisting, enabling attackers to instantiate objects that could trigger malicious operations during the deserialization process.
Attack Vector
The attack is network-based and requires low privileges to execute, with no user interaction needed. An attacker can exploit this vulnerability by sending specially crafted XML input to an application using a vulnerable version of XStream. The malicious XML payload contains serialized object references that, when processed by XStream's unmarshalling functionality, instantiate dangerous objects capable of executing system commands.
The exploitation chain typically involves:
- Identifying an endpoint that accepts XML input processed by XStream
- Crafting a malicious XML payload containing a gadget chain of serialized objects
- Sending the payload to the vulnerable application
- Upon deserialization, the gadget chain triggers execution of attacker-controlled commands
Since no verified code examples are available, administrators should refer to the GitHub Security Advisory GHSA-hwpc-8xqv-jvj4 for detailed technical information about the exploitation mechanism. The X-Stream CVE-2021-21345 advisory also provides comprehensive technical details about this vulnerability.
Detection Methods for CVE-2021-21345
Indicators of Compromise
- Unusual outbound network connections from Java application processes
- Unexpected process spawning from Java Virtual Machine instances
- Suspicious command execution activity traced back to applications using XStream
- Log entries showing deserialization of unexpected class types in XStream-based applications
Detection Strategies
- Monitor application logs for deserialization errors or warnings related to XStream processing
- Deploy runtime application self-protection (RASP) solutions to detect and block malicious deserialization attempts
- Implement network-based intrusion detection rules to identify malicious XML payloads targeting XStream
- Use static analysis tools to identify applications using vulnerable XStream versions in your environment
Monitoring Recommendations
- Enable verbose logging for XStream operations to capture detailed deserialization activity
- Monitor system process creation events for child processes spawned by Java applications
- Track network traffic patterns from applications known to use XStream for anomalous behavior
- Implement file integrity monitoring on systems running vulnerable applications
How to Mitigate CVE-2021-21345
Immediate Actions Required
- Upgrade XStream to version 1.4.16 or later immediately
- Implement XStream's security framework with an explicit whitelist limited to minimal required types
- Review and update all dependent applications including Apache ActiveMQ, Apache JMeter, and Oracle products
- Conduct an inventory of all applications using XStream in your environment to identify vulnerable instances
Patch Information
The vulnerability has been addressed in XStream version 1.4.16 and later. Organizations should upgrade to the latest stable version of XStream. Detailed patch information is available in the X-Stream Change Log 1.4.16.
For downstream products, vendors have released security updates:
- Oracle has addressed this in multiple Critical Patch Updates including CPU April 2021, CPU July 2021, CPU October 2021, and CPU January 2022
- NetApp has released Security Advisory NTAP-20210430-0002
- Debian has released DSA-5004 security update
Workarounds
- Configure XStream's security framework to use a strict whitelist of allowed types instead of relying on the default blacklist
- Restrict network access to endpoints that process XML input with XStream
- Implement input validation to filter potentially malicious XML content before processing
- Consider using alternative serialization libraries if XStream whitelist configuration is not feasible
# Example XStream security configuration (Java code concept)
# Configure explicit whitelist in your application:
# XStream xstream = new XStream();
# xstream.addPermission(NoTypePermission.NONE);
# xstream.addPermission(NullPermission.NULL);
# xstream.addPermission(PrimitiveTypePermission.PRIMITIVES);
# xstream.allowTypes(new Class[] { YourAllowedClass.class });
# Verify XStream version in Maven projects
mvn dependency:tree | grep xstream
# Check for vulnerable versions in Gradle projects
gradle dependencies | grep xstream
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
