CVE-2021-39144
Remote Code Execution vulnerability in com.thoughtworks.xstream:xstream
What is CVE-2021-39144 About?
This vulnerability in XStream allows a remote attacker with sufficient rights to execute commands on the host by manipulating the processed input stream. This is primarily an issue for users who do not follow the recommendation to set up XStream's security framework with a strict whitelist. Exploitation depends on the application's XStream configuration.
Affected Software
Technical Details
The vulnerability is a Remote Code Execution (RCE) flaw in XStream, stemming from an insecure deserialization vulnerability. It affects instances where XStream processes untrusted input streams without a strict security whitelist, instead relying on its default blacklist (which is noted as inherently insecure for general purposes). An attacker can craft a malicious XML or JSON input payload that, upon deserialization by XStream, triggers the execution of arbitrary commands on the underlying host system. This is achieved by leveraging specific classes or gadgets in the classpath that allow for instantiation and method invocation with attacker-controlled arguments when deserialized.
What is the Impact of CVE-2021-39144?
Successful exploitation may allow attackers to execute arbitrary commands, leading to full system compromise, data theft, or denial of service.
What is the Exploitability of CVE-2021-39144?
Exploitation requires the attacker to have the ability to send a manipulated input stream to an application using XStream. This is a remote vulnerability. While the description mentions 'sufficient rights,' it typically refers to the ability to interact with the vulnerable endpoint. No specific authentication is required if the endpoint is publicly accessible. The complexity is moderate, requiring knowledge of deserialization gadget chains and the application's classpath. The primary prerequisite is that XStream is configured without a whitelist in its security framework. Processing untrusted input streams by such a configuration significantly increases the likelihood of exploitation.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-39144?
Available Upgrade Options
- com.thoughtworks.xstream:xstream
- <1.4.18 → Upgrade to 1.4.18
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://lists.debian.org/debian-lts-announce/2021/09/msg00017.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/
- https://github.com/x-stream/xstream/security/advisories/GHSA-j9h8-phrw-h4fh
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://osv.dev/vulnerability/GHSA-j9h8-phrw-h4fh
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://nvd.nist.gov/vuln/detail/CVE-2021-39144
- http://packetstormsecurity.com/files/169859/VMware-NSX-Manager-XStream-Unauthenticated-Remote-Code-Execution.html
What are Similar Vulnerabilities to CVE-2021-39144?
Similar Vulnerabilities: CVE-2020-26259 , CVE-2020-26258 , CVE-2017-7957 , CVE-2016-3674 , CVE-2014-0099
