CVE-2021-39151: 
Java vulnerability analysis and mitigation

XStream, a simple library to serialize objects to XML and back again, was found to contain a vulnerability (CVE-2021-39151) that allows remote attackers to load and execute arbitrary code from a remote host by manipulating the processed input stream. The vulnerability was discovered in August 2021 and affects all versions up to and including version 1.4.17 (GitHub Advisory, XStream Doc).

The vulnerability exists in XStream's unmarshalling process where the stream contains type information to recreate previously written objects. During unmarshalling, XStream creates new instances based on this type information. An attacker can manipulate the input stream to replace or inject objects that result in execution of arbitrary code loaded from a remote server. The vulnerability has been assigned a CVSS v3.1 base score of 8.5 HIGH with vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H (NetApp Advisory).

A successful exploitation of this vulnerability could allow remote attackers to execute arbitrary code on the affected system, potentially leading to complete system compromise. The vulnerability affects confidentiality, integrity, and availability of the system. However, users who followed XStream's security framework recommendation to set up a whitelist limited to the minimal required types are not affected (XStream Doc).

The vulnerability was fixed in XStream version 1.4.18, which no longer uses a blacklist by default since it cannot be secured for general purpose. The new version implements a whitelist approach that blocks all classes except those types it has explicit converters for. Users are strongly recommended to upgrade to version 1.4.18 or later (GitHub Advisory, Debian Advisory).