CVE-2021-39149: 
Java vulnerability analysis and mitigation

XStream, a Java library used to serialize objects to XML and back again, was found to contain a vulnerability (CVE-2021-39149) that allows remote attackers to execute arbitrary code by manipulating the processed input stream. The vulnerability affects all versions up to and including version 1.4.17. The issue was discovered and reported by Lai Han of NSFOCUS security team (XStream Doc).

The vulnerability exists in XStream's unmarshalling process where the stream contains type information to recreate previously written objects. During unmarshalling, XStream creates new instances based on this type information. An attacker can manipulate the input stream to replace or inject objects that result in execution of arbitrary code loaded from a remote server. The vulnerability has been assigned a CVSS v3.1 base score of 8.5 HIGH with vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H (GitHub Advisory, NetApp Advisory).

A successful exploitation of this vulnerability could allow remote attackers to execute arbitrary code on the target system, potentially leading to complete system compromise. The vulnerability could enable attackers to load and execute malicious code from remote hosts by simply manipulating the processed input stream (XStream Doc, NetApp Advisory).

The vulnerability was fixed in XStream version 1.4.18, which changed the default security approach from a blacklist to a whitelist that blocks all classes except those types it has explicit converters for. Users are strongly recommended to upgrade to version 1.4.18 or later. For users unable to upgrade immediately, implementing XStream's security framework with a whitelist limited to the minimal required types provides protection against this vulnerability (GitHub Advisory, XStream Doc).