CVE-2021-21351
Arbitrary Code Execution vulnerability in xstream (Maven)
What is CVE-2021-21351 About?
This vulnerability affects XStream and allows a remote attacker to achieve arbitrary code execution by manipulating the processed input stream. The impact is severe, enabling attackers to take control of the system. Exploitation requires sending a specially crafted input stream to the application.
Affected Software
Technical Details
XStream versions prior to 1.4.16 are vulnerable due to an issue where a remote attacker can manipulate the processed input stream to load and execute arbitrary code from a remote host. This is often related to deserialization vulnerabilities where specific object types or their methods, when deserialized, trigger unintended code execution. The vulnerability exploits weaknesses in XStream's default blacklist-based security framework, which fails to adequately prevent certain types from being processed, thereby enabling a remote code execution payload to be injected via the input stream.
What is the Impact of CVE-2021-21351?
Successful exploitation may allow attackers to execute arbitrary code, gain full control over the application, and potentially compromise the underlying system.
What is the Exploitability of CVE-2021-21351?
Exploitation requires a remote attacker to manipulate the input stream processed by XStream. The complexity is moderate, as it involves crafting a specific payload that can trigger code execution upon deserialization. No user authentication is explicitly mentioned as required for the attack itself; rather, it depends on whether the XStream processing endpoint is publicly accessible. This is a remote attack. Privilege requirements would be those of the application handling the XStream input. The likelihood of exploitation is significantly reduced if users adhere to the recommendation of setting up XStream's security framework with a strict whitelist of allowed types, instead of relying on the default blacklist.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-21351?
Available Upgrade Options
- com.thoughtworks.xstream:xstream
- <1.4.16 → Upgrade to 1.4.16
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://lists.debian.org/debian-lts-announce/2021/04/msg00002.html
- https://x-stream.github.io/security.html#workaround
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://x-stream.github.io/CVE-2021-21351.html
- https://lists.apache.org/thread.html/r9ac71b047767205aa22e3a08cb33f3e0586de6b2fac48b425c6e16b0@%3Cdev.jmeter.apache.org%3E
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/
- https://nvd.nist.gov/vuln/detail/CVE-2021-21351
- https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd@%3Cusers.activemq.apache.org%3E
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/
- https://www.debian.org/security/2021/dsa-5004
What are Similar Vulnerabilities to CVE-2021-21351?
Similar Vulnerabilities: CVE-2021-39147 , CVE-2021-39140 , CVE-2020-26217 , CVE-2020-26258 , CVE-2020-26259
