CVE-2021-21346
Arbitrary Code Execution vulnerability in xstream (Maven)
What is CVE-2021-21346 About?
This vulnerability allows a remote attacker to achieve arbitrary code execution by manipulating the processed input stream of XStream. It poses a high risk to systems that do not use a whitelisted security framework, as it allows attackers to execute code remotely with relatively easy exploitation. The impact is significant, potentially leading to full system compromise.
Affected Software
Technical Details
The vulnerability in question allows for remote arbitrary code execution by manipulating the processed input stream of XStream. Specifically, an attacker can craft a malformed input stream that, when processed by XStream, causes the application to load and execute arbitrary code from a remote host. This is typically achieved by leveraging deserialization flaws where XStream's default blacklist (if not configured with a whitelist) fails to adequately prevent deserialization of malicious types or gadgets. The attack vector is the processed input stream, implying that any input that XStream deserializes can be used to inject and execute remote code.
What is the Impact of CVE-2021-21346?
Successful exploitation may allow attackers to execute arbitrary code, leading to complete system compromise, data manipulation or exfiltration, and denial of service.
What is the Exploitability of CVE-2021-21346?
Exploitation requires a remote attacker to manipulate the processed input stream. There are no explicit authentication or privilege requirements mentioned. The attack is remote and does not require local access. The complexity is low to moderate, as it relies on sending a specially crafted input stream that XStream will process. The likelihood of exploitation is significantly reduced if the XStream's security framework is configured with a whitelist of minimal required types, effectively disallowing the execution of arbitrary code.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-21346?
Available Upgrade Options
- com.thoughtworks.xstream:xstream
- <1.4.16 → Upgrade to 1.4.16
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://nvd.nist.gov/vuln/detail/CVE-2021-21346
- https://lists.debian.org/debian-lts-announce/2021/04/msg00002.html
- https://x-stream.github.io/security.html#workaround
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://lists.apache.org/thread.html/r9ac71b047767205aa22e3a08cb33f3e0586de6b2fac48b425c6e16b0@%3Cdev.jmeter.apache.org%3E
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/
- https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd@%3Cusers.activemq.apache.org%3E
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/
- https://www.debian.org/security/2021/dsa-5004
- https://security.netapp.com/advisory/ntap-20210430-0002/
What are Similar Vulnerabilities to CVE-2021-21346?
Similar Vulnerabilities: CVE-2021-39146 , CVE-2021-39148 , CVE-2013-7285 , CVE-2017-7957 , CVE-2022-41966
