CVE-2021-29505
arbitrary code execution vulnerability in com.thoughtworks.xstream:xstream
What is CVE-2021-29505 About?
This vulnerability allows a remote attacker to execute host commands by manipulating the input stream processed by XStream. Successful exploitation grants the attacker control over the host system. It is moderately easy to exploit, given the attacker has the necessary rights and the XStream security framework is not properly configured.
Affected Software
Technical Details
The vulnerability in XStream arises from the insecure handling of processed input streams, particularly when the application relies on the default blacklist configuration of the security framework. An attacker with sufficient rights to send crafted input can exploit this by injecting malicious data into the input stream. When XStream deserializes this input, it can be coerced into executing arbitrary commands on the host system, effectively bypassing security controls designed to prevent such code execution.
What is the Impact of CVE-2021-29505?
Successful exploitation may allow attackers to execute commands on the host system, leading to arbitrary code execution, complete system takeover, unauthorized data access, or resource manipulation.
What is the Exploitability of CVE-2021-29505?
Exploitation involves a remote attacker manipulating the processed input stream. While it requires the attacker to have "sufficient rights to execute commands," this likely refers to the context in which the input processing occurs, not necessarily prior authentication to the application itself. The complexity is moderate, requiring knowledge of XStream's deserialization mechanisms. The attack is remote, and prerequisites include the use of a vulnerable XStream version relying on a default blacklist. Strict input validation and a comprehensive whitelist approach can significantly mitigate the risk of this vulnerability.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| MyBlackManba | Link | 对CVE-2021-29505进行复现,并分析学了下Xstream反序列化过程 |
| cuijiung | Link | PoC for CVE-2021-29505 |
What are the Available Fixes for CVE-2021-29505?
Available Upgrade Options
- com.thoughtworks.xstream:xstream
- <1.4.17 → Upgrade to 1.4.17
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://lists.apache.org/thread.html/r8ee51debf7fd184b6a6b020dc31df25118b0aa612885f12fbe77f04f%40%3Cdev.jmeter.apache.org%3E
- https://x-stream.github.io/CVE-2021-29505.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://lists.debian.org/debian-lts-announce/2021/07/msg00004.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/
- https://github.com/x-stream/xstream/commit/24fac82191292c6ae25f94508d28b9823f83624f
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/
What are Similar Vulnerabilities to CVE-2021-29505?
Similar Vulnerabilities: CVE-2021-21347 , CVE-2021-39141 , CVE-2021-39154 , CVE-2019-10173 , CVE-2013-7285
