CVE-2021-21345
remote attacker vulnerability in xstream (Maven)
What is CVE-2021-21345 About?
This vulnerability allows a remote attacker with sufficient rights to execute commands on the host by manipulating the processed input stream. The impact is severe, enabling remote code execution. Exploitation requires specific manipulation of the input stream but can be achieved with existing proof of concept.
Affected Software
Technical Details
The vulnerability occurs when XStream processes an input stream containing specially crafted data. An attacker can manipulate this stream to inject or modify commands that are then executed by the host system. This is possible because the unmarshalling process, without proper security configuration, can be coerced into executing arbitrary commands. Specifically, if the security framework is not configured with a minimal whitelist, the default blacklist is insufficient to prevent malicious input. This allows for arbitrary command execution by subverting the object creation or deserialization logic.
What is the Impact of CVE-2021-21345?
Successful exploitation may allow attackers to execute arbitrary code on the host system, leading to full system compromise, data theft, or further network penetration.
What is the Exploitability of CVE-2021-21345?
Exploitation of this vulnerability is moderately complex, requiring an understanding of XStream's unmarshalling process and the ability to craft a malicious input stream. There are no explicit authentication requirements beyond what is needed to submit the processed input. The attacker needs to have 'sufficient rights' to interact with the system processing the input, implying some level of access, but exploitation is remote. There are no specific privilege requirements mentioned for the attacker, but the vulnerability leverages the privileges of the application processing the input. A significant risk factor is an application using XStream without a properly configured security framework (i.e., a whitelist limited to minimal required types).
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| shoucheng3 | Link | PoC for CVE-2021-21345 |
What are the Available Fixes for CVE-2021-21345?
Available Upgrade Options
- com.thoughtworks.xstream:xstream
- <1.4.16 → Upgrade to 1.4.16
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://lists.debian.org/debian-lts-announce/2021/04/msg00002.html
- https://x-stream.github.io/security.html#workaround
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://lists.apache.org/thread.html/r9ac71b047767205aa22e3a08cb33f3e0586de6b2fac48b425c6e16b0@%3Cdev.jmeter.apache.org%3E
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/
- https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd@%3Cusers.activemq.apache.org%3E
- https://x-stream.github.io/CVE-2021-21345.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/
- https://www.debian.org/security/2021/dsa-5004
- https://security.netapp.com/advisory/ntap-20210430-0002/
What are Similar Vulnerabilities to CVE-2021-21345?
Similar Vulnerabilities: CVE-2017-1000487 , CVE-2020-25649 , CVE-2021-21390 , CVE-2021-29505 , CVE-2021-39149
