CVE-2021-21350
Remote Code Execution vulnerability in com.thoughtworks.xstream:xstream
What is CVE-2021-21350 About?
This vulnerability allows a remote attacker to execute arbitrary code by manipulating the processed input stream in XStream. Its impact is severe, potentially leading to full system compromise. Exploitation is relatively easy if the default blacklist security framework is relied upon without further whitelisting.
Affected Software
Technical Details
The vulnerability in XStream allows for remote code execution through manipulated input streams. It specifically exploits weaknesses in XStream's default blacklist-based security framework. An attacker can craft a malicious input stream containing specific deserialization gadgets that bypass the default blacklist. When XStream processes this stream, it instantiates and invokes arbitrary classes/methods, typically through reflection or other dynamic mechanisms, leading to the execution of attacker-controlled code. This attack vector leverages the inherent dangers of deserializing untrusted data without a strict whitelist of allowed types and objects.
What is the Impact of CVE-2021-21350?
Successful exploitation may allow attackers to achieve arbitrary code execution, gain full control over the compromised system, or cause data corruption and service disruption.
What is the Exploitability of CVE-2021-21350?
Exploitation is of moderate complexity, requiring knowledge of XStream's deserialization process and potential gadget chains. No authentication is typically needed as the attack targets the input processing functionality. There are no specific privilege requirements on the target for the initial execution. This is a remote vulnerability, allowing an attacker to send a malicious input stream over the network. A key prerequisite is that the application uses XStream and relies on its default blacklist for security, without implementing a stricter whitelist. The likelihood of exploitation increases when untrusted input is fed directly into the XStream deserializer.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-21350?
Available Upgrade Options
- com.thoughtworks.xstream:xstream
- <1.4.16 → Upgrade to 1.4.16
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://lists.debian.org/debian-lts-announce/2021/04/msg00002.html
- https://x-stream.github.io/security.html#workaround
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://lists.apache.org/thread.html/r9ac71b047767205aa22e3a08cb33f3e0586de6b2fac48b425c6e16b0@%3Cdev.jmeter.apache.org%3E
- https://nvd.nist.gov/vuln/detail/CVE-2021-21350
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/
- https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd@%3Cusers.activemq.apache.org%3E
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/
- https://www.debian.org/security/2021/dsa-5004
- https://security.netapp.com/advisory/ntap-20210430-0002/
What are Similar Vulnerabilities to CVE-2021-21350?
Similar Vulnerabilities: CVE-2021-39153 , CVE-2021-39151 , CVE-2020-26217 , CVE-2020-26258 , CVE-2017-7957
