CVE-2021-39144

What is XStream?

XStream is a widely-used open-source Java library for serializing Java objects to XML and deserializing XML back to Java objects. It is embedded in numerous enterprise Java applications, infrastructure management platforms, and cloud management tools as a data exchange and configuration format handler. Because XStream processes external XML input and maps it to Java objects, deserialization vulnerabilities in XStream allow attackers who can supply crafted XML to inject arbitrary Java objects and command execution — a class of vulnerability that has affected XStream repeatedly. XStream's broad adoption across the Java ecosystem means its vulnerabilities have wide blast radius when exploited in products built on it.

Overview

CVE-2021-39144 is a remote code execution vulnerability (CWE-94) in XStream, the Java XML serialization library. An attacker who can supply a specially crafted XML input stream to an application using XStream can manipulate the deserialization process to inject and execute local commands on the server. XStream released the fix in version 1.4.18 (August 22, 2021). The vulnerability affects all downstream products embedding vulnerable XStream versions — most prominently VMware Cloud Foundation, which disclosed exposure in November 2022 via VMSA-2022-0027. CISA added the vulnerability to the KEV catalog in March 2023.

Affected Versions

Technical Details

• Root cause: Improper code injection (CWE-94) via deserialization of attacker-controlled XML — XStream uses reflection-based object instantiation when mapping XML elements to Java types; carefully crafted XML can abuse this mechanism to instantiate and invoke arbitrary Java classes present on the server's classpath, including those that execute system commands
• Attack mechanics: XStream's type mapping system allows XML to reference specific Java classes by name; an attacker crafts XML that references Java runtime classes (such as ProcessBuilder or Runtime) in a gadget chain that results in OS command execution when deserialized
• Prerequisites: AC:H (High complexity) and PR:L (Low privileges) — exploitation requires constructing a valid gadget chain for the target JVM classpath and typically requires the attacker to have some level of access to supply XML input to the vulnerable application
• Scope: Changed (S:C): The RCE executes in the server process, potentially affecting resources beyond the immediate application — including the underlying host OS and connected systems
• VMware Cloud Foundation exposure: VMware Cloud Foundation used XStream in its NSX-V management components; VMSA-2022-0027 disclosed that an authenticated attacker could exploit CVE-2021-39144 to achieve RCE on the Cloud Foundation appliance
• XStream deserialization pattern: XStream has been patched for over a dozen deserialization-related CVEs since 2020; the library maintains a security framework (allowlists/denylists) that must be actively configured — default configurations may remain vulnerable even to previously-patched gadget chains if not maintained

Discovery

Identified as part of a broader XStream security audit in August 2021. XStream released version 1.4.18 on the same day the CVE was published (August 22–23, 2021). VMware separately discovered that Cloud Foundation's embedded XStream version was vulnerable and disclosed this in November 2022 via VMSA-2022-0027. CISA added CVE-2021-39144 to KEV in March 2023, reflecting confirmed exploitation in VMware or other enterprise Java deployments.

Exploitation Context

XStream deserialization vulnerabilities have become a reliable exploitation path against enterprise Java applications and infrastructure management platforms. The March 2023 CISA KEV addition — seventeen months after the XStream patch and four months after the VMware Cloud Foundation disclosure — reflects exploitation activity specifically in VMware environments. VMware Cloud Foundation is widely deployed in enterprise data centers, making this an attractive target for ransomware operators and nation-state actors seeking to compromise virtualization infrastructure. Applications embedding XStream are often long-lived Java enterprise apps that may not promptly incorporate library updates, extending the exploitation window well beyond the initial patch date.

Remediation

1. Upgrade XStream to 1.4.18 or later — this addresses CVE-2021-39144 and related deserialization vulnerabilities
2. For VMware Cloud Foundation: apply the patches documented in VMSA-2022-0027; prioritize VMware-specific guidance over generic XStream upgrade instructions
3. Enable XStream's security framework — configure type allowlists to restrict which Java types XStream is permitted to deserialize; default configurations may not provide adequate protection
4. Audit all Java applications in your environment for embedded XStream dependency versions; use dependency scanning tools (OWASP Dependency-Check, Snyk) to identify outdated XStream inclusions in transitive dependencies
5. Network-segment management interfaces for VMware Cloud Foundation and other infrastructure platforms — limit which hosts can submit XML input to XStream-consuming services
6. Monitor for unusual process spawning from Java application server processes (e.g., java spawning bash, cmd, powershell) as an indicator of successful deserialization exploitation