CISA KEV 정보
| 취약점명 | XStream Remote Code Execution Vulnerability |
|---|---|
| 설명 | XStream contains a remote code execution vulnerability that allows an attacker to manipulate the processed input stream and replace or inject objects that result in the execution of a local command on the server. This vulnerability can affect multiple products, including but not limited to VMware Cloud Foundation. |
| 조치사항 | Apply updates per vendor instructions. |
| 랜섬웨어 캠페인 악용 | Unknown |
| CWE | CWE-94 | CWE-502 |
| 등록일 (KEV) | 2023-03-10 |
| 조치 기한 | 2023-03-31 |
| 추가 참고 | https://www.vmware.com/security/advisories/VMSA-2022-0027.html, https://x-stream.github.io/CVE-2021-39144.html; https://nvd.nist.gov/vuln/detail/CVE-2021-39144 |
NVD 상세 정보
CVSS v3.1: 8.5 HIGH
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:HCVSS v2.0: 6.0
AV:N/AC:M/Au:S/C:P/I:P/A:P설명: XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.
CWE: CWE-94 | CWE-502 | CWE-306 | CWE-502
참조
- http://packetstormsecurity.com/files/169859/VMware-NSX-Manager-XStream-Unauthenticated-Remote-Code-Execution.html [Exploit, Third Party Advisory, VDB Entry]
- https://github.com/x-stream/xstream/security/advisories/GHSA-j9h8-phrw-h4fh [Vendor Advisory]
- https://lists.debian.org/debian-lts-announce/2021/09/msg00017.html [Mailing List, Third Party Advisory]
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/ [Broken Link, Mailing List, Release Notes]
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/ [Broken Link, Mailing List, Release Notes]
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/ [Broken Link, Mailing List, Release Notes]
- https://security.netapp.com/advisory/ntap-20210923-0003/ [Third Party Advisory]
- https://www.debian.org/security/2021/dsa-5004 [Third Party Advisory]
- https://www.oracle.com/security-alerts/cpuapr2022.html [Patch, Third Party Advisory]
- https://www.oracle.com/security-alerts/cpujan2022.html [Patch, Third Party Advisory]
- https://www.oracle.com/security-alerts/cpujul2022.html [Patch, Third Party Advisory]
- https://x-stream.github.io/CVE-2021-39144.html [Exploit, Vendor Advisory]
- http://packetstormsecurity.com/files/169859/VMware-NSX-Manager-XStream-Unauthenticated-Remote-Code-Execution.html [Exploit, Third Party Advisory, VDB Entry]
- https://github.com/x-stream/xstream/security/advisories/GHSA-j9h8-phrw-h4fh [Vendor Advisory]
- https://lists.debian.org/debian-lts-announce/2021/09/msg00017.html [Mailing List, Third Party Advisory]
- ... 외 10건
This product uses the NVD API but is not endorsed or certified by the NVD.