CVE-2021-21343
remote attacker vulnerability in xstream (Maven)
What is CVE-2021-21343 About?
This vulnerability allows a remote attacker to delete files on the local host by manipulating the processed input stream during object unmarshalling. The impact is data destruction and system disruption. Exploitation requires careful crafting of the input stream but is contingent on an inadequately configured XStream security framework.
Affected Software
Technical Details
The vulnerability arises because XStream recreates objects based on type information present in the unmarshalled stream. An attacker can manipulate this input stream to replace or inject objects that, when instantiated or processed, trigger file deletion on the local system. This is typically achieved by leveraging deserialization flaws where specific classes or methods that perform file operations can be invoked through controlled input. If the XStream security framework does not enforce a whitelist of acceptable types, malicious types can be introduced to perform unauthorized actions such as file deletion.
What is the Impact of CVE-2021-21343?
Successful exploitation may allow attackers to delete arbitrary files on the local host, leading to data loss, denial of service, or system integrity compromise.
What is the Exploitability of CVE-2021-21343?
Exploitation complexity is moderate, requiring an attacker to understand XStream's object unmarshalling and how to craft a malicious input stream to trigger file deletion. Authentication requirements are tied to the application's input processing mechanism, meaning the attacker needs to be able to submit a processed input stream. This is a remote vulnerability. The attacker does not need elevated privileges on the target system directly, but the vulnerability executes with the privileges of the affected application. The primary constraint is the absence of a properly configured XStream security framework using a type whitelist.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-21343?
Available Upgrade Options
- com.thoughtworks.xstream:xstream
- <1.4.16 → Upgrade to 1.4.16
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://lists.debian.org/debian-lts-announce/2021/04/msg00002.html
- https://x-stream.github.io/security.html#workaround
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://lists.apache.org/thread.html/r9ac71b047767205aa22e3a08cb33f3e0586de6b2fac48b425c6e16b0@%3Cdev.jmeter.apache.org%3E
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/
- https://nvd.nist.gov/vuln/detail/CVE-2021-21343
- https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd@%3Cusers.activemq.apache.org%3E
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/
- https://x-stream.github.io/CVE-2021-21343.html
- https://www.debian.org/security/2021/dsa-5004
What are Similar Vulnerabilities to CVE-2021-21343?
Similar Vulnerabilities: CVE-2015-7501 , CVE-2017-17485 , CVE-2019-10172 , CVE-2020-25649 , CVE-2021-21345
