CVE-2021-39145
Arbitrary Code Execution vulnerability in com.thoughtworks.xstream:xstream
What is CVE-2021-39145 About?
This vulnerability allows a remote attacker to load and execute arbitrary code by manipulating the processed input stream of XStream. While severe, users who have configured XStream's security framework with a strict whitelist are not affected. Exploitation involves carefully crafted input to trigger the code execution.
Affected Software
Technical Details
The vulnerability in XStream 1.4.x arises from insecure deserialization when processing input streams. A remote attacker can craft a malicious input stream (e.g., XML) that, when deserialized by a vulnerable XStream instance, triggers the loading and execution of arbitrary code from a remote host. This is typically achieved by embedding references to malicious classes or gadgets within the serialized data that, upon instantiation, execute system commands or load external code. The attack vector specifically targets XStream's default behavior, which prior to 1.4.18, relied on a blacklist approach that could be bypassed.
What is the Impact of CVE-2021-39145?
Successful exploitation may allow attackers to execute arbitrary code, leading to full system compromise, data exfiltration, or denial of service.
What is the Exploitability of CVE-2021-39145?
Exploitation requires the ability to supply a malicious input stream to an application using a vulnerable version of XStream. The complexity is moderate, involving the creation of a specifically crafted serialized object. No authentication is typically required if the vulnerable XStream endpoint is publicly accessible and processes unauthenticated input. The attack is remote, as it relies on sending data over a network. The likelihood of exploitation increases if the application processes untrusted XML or JSON inputs without proper deserialization controls, especially if a whitelist for allowed types is not implemented.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-39145?
Available Upgrade Options
- com.thoughtworks.xstream:xstream
- <1.4.18 → Upgrade to 1.4.18
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://lists.debian.org/debian-lts-announce/2021/09/msg00017.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/
- https://x-stream.github.io/CVE-2021-39145.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/
- https://osv.dev/vulnerability/GHSA-8jrj-525p-826v
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.debian.org/security/2021/dsa-5004
- https://github.com/x-stream/xstream/security/advisories/GHSA-8jrj-525p-826v
What are Similar Vulnerabilities to CVE-2021-39145?
Similar Vulnerabilities: CVE-2021-21341 , CVE-2020-26217 , CVE-2017-7957 , CVE-2017-1000487 , CVE-2016-3674
