CVE-2021-39141
arbitrary code execution vulnerability in com.thoughtworks.xstream:xstream
What is CVE-2021-39141 About?
This vulnerability enables remote attackers to execute arbitrary code by manipulating the processed input stream. Its impact can range from data compromise to full system control. Exploitation is straightforward for an attacker who can send malicious input if security frameworks are not correctly configured.
Affected Software
Technical Details
The vulnerability exists in XStream due to its reliance on a default blacklist for security, which is inherently less secure than a whitelist approach. An attacker can create a specially crafted input stream designed to bypass the blacklist. When this malicious input is processed by XStream, it can lead to deserialization of unexpected or dangerous types, allowing the attacker to load and execute arbitrary code from a remote location on the vulnerable system.
What is the Impact of CVE-2021-39141?
Successful exploitation may allow attackers to execute arbitrary code, leading to system compromise, data manipulation, unauthorized data access, or denial of service.
What is the Exploitability of CVE-2021-39141?
Exploitation involves sending a crafted input stream to a vulnerable XStream application, suggesting a moderate complexity. It is a remote attack, and typically does not require prior authentication or elevated privileges. The main prerequisite is that the application uses an affected XStream version and primarily relies on the default blacklist rather than a more robust whitelist configuration. The absence of strict input validation or proper security framework initialization significantly increases the likelihood of successful exploitation.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| zwjjustdoit | Link | XSTREAM<=1.4.17漏洞复现(CVE-2021-39141、CVE-2021-39144、CVE-2021-39150) |
What are the Available Fixes for CVE-2021-39141?
Available Upgrade Options
- com.thoughtworks.xstream:xstream
- <1.4.18 → Upgrade to 1.4.18
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://lists.debian.org/debian-lts-announce/2021/09/msg00017.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://nvd.nist.gov/vuln/detail/CVE-2021-39141
- https://x-stream.github.io/CVE-2021-39141.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/
- https://github.com/x-stream/xstream/security/advisories/GHSA-g5w6-mrj7-75h2
- https://osv.dev/vulnerability/GHSA-g5w6-mrj7-75h2
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
What are Similar Vulnerabilities to CVE-2021-39141?
Similar Vulnerabilities: CVE-2021-21347 , CVE-2021-29505 , CVE-2021-39154 , CVE-2019-10173 , CVE-2013-7285
