CVE-2021-39146
Arbitrary Code Execution vulnerability in xstream (Maven)
What is CVE-2021-39146 About?
This vulnerability allows a remote attacker to achieve arbitrary code execution by manipulating the processed input stream of XStream. It poses a high risk to systems that do not use a whitelisted security framework, as it allows attackers to execute code remotely with relatively easy exploitation. The impact is significant, potentially leading to full system compromise.
Affected Software
Technical Details
The vulnerability enables remote arbitrary code execution through manipulation of XStream's processed input stream. An attacker can craft a specific input stream that, when deserialized by XStream, triggers the loading and execution of arbitrary code from a remote host. This is a deserialization vulnerability where the application's default blacklist is insufficient to prevent the malicious object graph from being executed. The attacker's crafted input leverages known deserialization gadgets or classes to achieve code execution. The attack vector relies on XStream processing untrusted input without proper validation or a strict whitelist.
What is the Impact of CVE-2021-39146?
Successful exploitation may allow attackers to execute arbitrary code, leading to complete system compromise, data manipulation or exfiltration, and denial of service.
What is the Exploitability of CVE-2021-39146?
Exploitation requires a remote attacker to manipulate the processed input stream. There are no explicit authentication or privilege requirements. The attack is remote and does not require local access. The complexity is low to moderate, as it involves sending a specially crafted input stream to XStream. The likelihood of exploitation is significantly reduced if the XStream security framework is configured with a whitelist limited to the minimal required types, rather than relying on a blacklist.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-39146?
Available Upgrade Options
- com.thoughtworks.xstream:xstream
- <1.4.18 → Upgrade to 1.4.18
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://lists.debian.org/debian-lts-announce/2021/09/msg00017.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/
- https://x-stream.github.io/CVE-2021-39146.html
- https://osv.dev/vulnerability/GHSA-p8pq-r894-fm8f
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.debian.org/security/2021/dsa-5004
- https://github.com/x-stream/xstream
What are Similar Vulnerabilities to CVE-2021-39146?
Similar Vulnerabilities: CVE-2021-21346 , CVE-2021-39148 , CVE-2013-7285 , CVE-2017-7957 , CVE-2022-41966
