xstream is vulnerable to remote code execution. The vulnerability exists because it relies on XStream’s default blacklist of the Security Framework, allowing an attacker to manipulate the processed input stream and replace or inject objects, that result in execution of arbitrary code loaded from a remote server.
x-stream.github.io/changes.html#1.4.16
x-stream.github.io/CVE-2021-21347.html
github.com/x-stream/xstream/commit/51abe602e09016c8e43e91325a15226022f4da46
github.com/x-stream/xstream/security/advisories/GHSA-qpfq-ph7r-qv6f
lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd@%3Cusers.activemq.apache.org%3E
lists.apache.org/thread.html/r9ac71b047767205aa22e3a08cb33f3e0586de6b2fac48b425c6e16b0@%3Cdev.jmeter.apache.org%3E
lists.debian.org/debian-lts-announce/2021/04/msg00002.html
lists.fedoraproject.org/archives/list/[email protected]/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/
lists.fedoraproject.org/archives/list/[email protected]/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/
lists.fedoraproject.org/archives/list/[email protected]/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/
security.netapp.com/advisory/ntap-20210430-0002/
www.debian.org/security/2021/dsa-5004
www.oracle.com//security-alerts/cpujul2021.html
www.oracle.com/security-alerts/cpujan2022.html
www.oracle.com/security-alerts/cpuoct2021.html
x-stream.github.io/CVE-2021-21347.html
x-stream.github.io/security.html#workaround