CVE-2021-21347
arbitrary code execution vulnerability in com.thoughtworks.xstream:xstream
What is CVE-2021-21347 About?
This vulnerability allows a remote attacker to execute arbitrary code by manipulating an input stream. Successful exploitation could lead to full system compromise. It is relatively easy to exploit through crafted input, unless specific security measures are in place.
Affected Software
Technical Details
The vulnerability arises from insufficient security framework configurations in XStream, specifically when the default blacklist is relied upon instead of a whitelist. An attacker can craft a malicious input stream (XML or other supported format) that, when processed by XStream, deserializes into objects that trigger arbitrary code loading and execution from a remote host. This bypasses the intended security controls, allowing unauthorized code to run on the system processing the input.
What is the Impact of CVE-2021-21347?
Successful exploitation may allow attackers to execute arbitrary code, leading to complete system compromise, data exfiltration, denial of service, or unauthorized access to sensitive information.
What is the Exploitability of CVE-2021-21347?
Exploitation requires remote access to a system processing XStream input. The complexity is moderate, as it involves crafting a specific input stream to trigger deserialization flaws. No authentication is explicitly required, enabling unauthenticated remote attacks. No specific prior privileges are necessary beyond the ability to send the malicious input. The primary constraint is the target system's reliance on XStream's default blacklist rather than a more restrictive whitelist. The likelihood of exploitation increases if the application processes untrusted input directly without validation or proper security framework initialization.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-21347?
Available Upgrade Options
- com.thoughtworks.xstream:xstream
- <1.4.16 → Upgrade to 1.4.16
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://lists.debian.org/debian-lts-announce/2021/04/msg00002.html
- https://x-stream.github.io/security.html#workaround
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://lists.apache.org/thread.html/r9ac71b047767205aa22e3a08cb33f3e0586de6b2fac48b425c6e16b0@%3Cdev.jmeter.apache.org%3E
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/
- https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd@%3Cusers.activemq.apache.org%3E
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/
- https://github.com/x-stream/xstream/security/advisories/GHSA-qpfq-ph7r-qv6f
- https://osv.dev/vulnerability/GHSA-qpfq-ph7r-qv6f
- https://www.debian.org/security/2021/dsa-5004
What are Similar Vulnerabilities to CVE-2021-21347?
Similar Vulnerabilities: CVE-2021-39141 , CVE-2021-29505 , CVE-2021-39154 , CVE-2019-10173 , CVE-2013-7285
