CVE-2021-39153: 
Java vulnerability analysis and mitigation

XStream, a Java library to serialize objects to XML and back again, was found to contain a vulnerability (CVE-2021-39153) that affects versions up to and including 1.4.17. The vulnerability was discovered in August 2021 and affects installations using Java runtime versions 8-14 or systems with JavaFX installed (XStream CVE).

The vulnerability exists in XStream's unmarshalling process where the stream contains type information to recreate previously written objects. During unmarshalling, XStream creates new instances based on this type information. An attacker can manipulate the processed input stream and replace or inject objects that result in execution of arbitrary code loaded from a remote server. The vulnerability affects multiple formats including XML and JSON (XStream CVE, NetApp Advisory).

The vulnerability has a CVSS v3.1 base score of 8.5 (HIGH) with vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H. If successfully exploited, it could allow a remote attacker to load and execute arbitrary code from a remote host by manipulating the processed input stream (NetApp Advisory).

The vulnerability was fixed in XStream version 1.4.18, which no longer uses a blacklist by default since it cannot be secured for general purpose. For earlier versions, users should follow XStream's security framework recommendation to set up a whitelist limited to the minimal required types (XStream CVE, GitHub Advisory).

Multiple vendors and organizations issued security advisories and patches in response to this vulnerability, including NetApp, Red Hat, Oracle, and Debian. The vulnerability was considered serious enough to warrant inclusion in multiple security updates across different platforms (NetApp Advisory, Debian Advisory).