CVE-2021-39144: 
Java vulnerability analysis and mitigation

XStream, a Java library for serializing objects to XML and back, contains a critical vulnerability (CVE-2021-39144) that allows remote command execution. The vulnerability affects all versions up to and including 1.4.17, when using the default configuration. The issue was discovered and reported by Ceclin and YXXX from the Tencent Security Response Center (XStream Advisory).

The vulnerability exists in XStream's unmarshalling process where type information is used to recreate previously written objects. An attacker can manipulate the input stream to replace or inject objects that result in arbitrary command execution on the server. The vulnerability has a CVSS v3.1 base score of 8.5 HIGH with vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H (GitHub Advisory).

A successful exploit allows remote attackers to execute arbitrary commands with the privileges of the process owner on the target system by manipulating the processed input stream. The vulnerability is particularly severe as it can be exploited through any supported format, including both XML and JSON (XStream Advisory).

XStream 1.4.18 addresses this vulnerability by changing the default security approach from a blacklist to a whitelist that blocks all classes except those types it has explicit converters for. Users who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types are not affected (Debian Advisory).

The vulnerability has received significant attention due to its severity and active exploitation. VMware took the unusual step of releasing patches for end-of-life products, highlighting the criticality of the issue. Multiple vendors including Oracle, NetApp, and Debian have issued security advisories and patches for their affected products (NetApp Advisory).