CVE-2021-39147
Arbitrary Code Execution vulnerability in xstream (Maven)
What is CVE-2021-39147 About?
This XStream vulnerability allows remote attackers to execute arbitrary code through manipulation of the processed input stream. The impact is critical, giving attackers full control over the target system. Exploitation involves crafting a malicious input stream to bypass XStream's security blacklists.
Affected Software
Technical Details
Similar to previous XStream vulnerabilities, CVE-2021-39147 stems from the deserialization process where a remote attacker can manipulate the processed input stream to achieve arbitrary code execution. This particular vulnerability bypasses the default blacklist-based security framework that XStream employed in earlier versions. By crafting a specific input, a malicious payload can be included within the stream that, upon deserialization, triggers the loading and execution of code from a remote host. The design flaw of relying on an incomplete blacklist rather than a robust whitelist allows such bypasses.
What is the Impact of CVE-2021-39147?
Successful exploitation may allow attackers to execute arbitrary code on the target system, potentially leading to unauthorized access, data compromise, or complete system takeover.
What is the Exploitability of CVE-2021-39147?
Exploitation requires a remote attacker to manipulate the input stream provided to XStream. The complexity is moderate, as it involves crafting a specific deserialization payload. Authentication is not a primary prerequisite for the attack itself, but rather the attacker needs access to an endpoint that processes deserialized input via XStream. This is a remote attack. Privilege requirements are those of the application that uses XStream. The likelihood of exploitation is high if the application processes untrusted input using XStream without a proper whitelist-based security configuration, especially since XStream 1.4.18 abandons the default blacklist due to its inherent insecurity.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-39147?
Available Upgrade Options
- com.thoughtworks.xstream:xstream
- <1.4.18 → Upgrade to 1.4.18
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://lists.debian.org/debian-lts-announce/2021/09/msg00017.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://x-stream.github.io/CVE-2021-39147.html
- https://github.com/x-stream/xstream/security/advisories/GHSA-h7v4-7xg3-hxcc
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.debian.org/security/2021/dsa-5004
- https://github.com/x-stream/xstream
What are Similar Vulnerabilities to CVE-2021-39147?
Similar Vulnerabilities: CVE-2021-21351 , CVE-2021-39140 , CVE-2020-26217 , CVE-2020-26258 , CVE-2020-26259
