CVE-2021-39139
Remote Code Execution vulnerability in com.thoughtworks.xstream:xstream
What is CVE-2021-39139 About?
This XStream vulnerability allows a remote attacker to load and execute arbitrary code by manipulating the processed input stream during object deserialization. This is particularly impactful if using older JDK versions or external Xalan. Exploitation is complex, requiring specific conditions and malicious input.
Affected Software
Technical Details
The vulnerability in XStream (specifically versions prior to 1.4.18 when dealing with JDK 1.7u21 or below, or with specific external Xalan configurations) allows for remote code execution. It stems from the ability to manipulate the processed input stream to inject arbitrary types and data during unmarshalling. An attacker can craft malicious serialized data that, when deserialized by XStream, will cause the application to load and execute arbitrary code from a remote host. This is achieved by leveraging specific deserialization gadgets or properties that trigger code execution paths within the Java Virtual Machine or linked libraries (like Xalan), allowing for commands to be executed under the application's privileges.
What is the Impact of CVE-2021-39139?
Successful exploitation may allow attackers to execute arbitrary code on the server, potentially leading to complete system compromise, data theft, or a full denial of service.
What is the Exploitability of CVE-2021-39139?
Exploitation complexity is high, requiring an attacker to craft a highly specific malicious serialized payload and have the ability to supply it to an XStream deserialization endpoint. Authentication requirements depend on whether the vulnerable endpoint is authenticated; if not, it can be a remote, unauthenticated attack. Privilege requirements generally align with the application's privileges. Special conditions include the use of JDK 1.7u21 or below, or an external Xalan configuration. The primary risk factors are allowing untrusted input to be deserialized by XStream without a strict security framework (type whitelist) and running on outdated Java environments.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-39139?
Available Upgrade Options
- com.thoughtworks.xstream:xstream
- <1.4.18 → Upgrade to 1.4.18
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://lists.debian.org/debian-lts-announce/2021/09/msg00017.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/
- https://x-stream.github.io/CVE-2021-39139.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.debian.org/security/2021/dsa-5004
- https://github.com/x-stream/xstream/security/advisories/GHSA-64xx-cq4q-mf44
- https://github.com/x-stream/xstream
What are Similar Vulnerabilities to CVE-2021-39139?
Similar Vulnerabilities: CVE-2023-21931 , CVE-2023-21839 , CVE-2022-21443 , CVE-2021-44228 , CVE-2021-4104
