CVE-2021-21344
arbitrary code execution vulnerability in xstream (Maven)
What is CVE-2021-21344 About?
This XStream vulnerability allows a remote attacker to load and execute arbitrary code by manipulating the processed input stream. The impact is severe, potentially leading to full system compromise. Exploitation requires sending specially crafted input, but no user is affected if a whitelist-based security framework is used.
Affected Software
Technical Details
The vulnerability permits a remote attacker to achieve arbitrary code execution by crafting a malicious input stream. When XStream processes this manipulated input, it can be coerced into loading and executing arbitrary code from a remote host. This typically involves deserialization flaws where attacker-controlled data is used to instantiate arbitrary classes or call dangerous methods, leading to an RCE. The vulnerability bypasses XStream's default blacklist security framework, but a properly configured whitelist framework mitigates the risk by restricting acceptable types.
What is the Impact of CVE-2021-21344?
Successful exploitation may allow attackers to execute arbitrary code on the affected system, leading to full system compromise, data theft, or further network penetration.
What is the Exploitability of CVE-2021-21344?
Exploitation involves a remote attacker manipulating the processed input stream, indicating a moderate to high complexity in crafting the malicious payload. There are no stated authentication or privilege requirements; the attacker only needs to be able to send input to the affected XStream instance. It is a remote access scenario. A significant constraint is that users who have configured XStream's security framework with a strict whitelist are not affected. Risk factors include publicly exposed applications that use XStream without a whitelist-based security framework, especially if they deserialize untrusted input.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-21344?
Available Upgrade Options
- com.thoughtworks.xstream:xstream
- <1.4.16 → Upgrade to 1.4.16
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://lists.debian.org/debian-lts-announce/2021/04/msg00002.html
- https://x-stream.github.io/security.html#workaround
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://lists.apache.org/thread.html/r9ac71b047767205aa22e3a08cb33f3e0586de6b2fac48b425c6e16b0@%3Cdev.jmeter.apache.org%3E
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/
- https://x-stream.github.io/CVE-2021-21344.html
- https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd@%3Cusers.activemq.apache.org%3E
- https://github.com/x-stream/xstream/security/advisories/GHSA-59jw-jqf4-3wq3
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/
- https://www.debian.org/security/2021/dsa-5004
What are Similar Vulnerabilities to CVE-2021-21344?
Similar Vulnerabilities: CVE-2020-26217 , CVE-2021-21342 , CVE-2021-21343 , CVE-2021-21350 , CVE-2020-26259
