xstream is vulnerable to remote code execution. The vulnerability exists due to an uncontrolled process references on enum types at deserialization, allowing an attacker to manipulate the processed input stream and replace or inject objects, that result in execution of arbitrary code loaded from a remote server.
x-stream.github.io/changes.html#1.4.16
github.com/x-stream/xstream/commit/15f2cd3364795eab785166f6f36f9a91e951373f
github.com/x-stream/xstream/issues/238
github.com/x-stream/xstream/security/advisories/GHSA-hrcp-8f3q-4w2c
lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd@%3Cusers.activemq.apache.org%3E
lists.apache.org/thread.html/r9ac71b047767205aa22e3a08cb33f3e0586de6b2fac48b425c6e16b0@%3Cdev.jmeter.apache.org%3E
lists.debian.org/debian-lts-announce/2021/04/msg00002.html
lists.fedoraproject.org/archives/list/[email protected]/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/
lists.fedoraproject.org/archives/list/[email protected]/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/
lists.fedoraproject.org/archives/list/[email protected]/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/
security.netapp.com/advisory/ntap-20210430-0002/
www.debian.org/security/2021/dsa-5004
www.oracle.com//security-alerts/cpujul2021.html
www.oracle.com/security-alerts/cpujan2022.html
www.oracle.com/security-alerts/cpuoct2021.html
x-stream.github.io/CVE-2021-21351.html
x-stream.github.io/news.html
x-stream.github.io/security.html#workaround