CVE-2021-39149
remote attacker vulnerability in xstream (Maven)
What is CVE-2021-39149 About?
This vulnerability allows a remote attacker to load and execute arbitrary code from a remote host by manipulating the processed input stream. This results in remote code execution and severe compromise. Exploitation depends on the lack of a proper security framework configuration in XStream, making it a high-impact but potentially complex attack.
Affected Software
Technical Details
The vulnerability arises during the unmarshalling process in XStream when type information from the input stream is used to recreate objects. An attacker can manipulate this stream to inject malicious objects or references that, upon deserialization, trigger the loading and execution of arbitrary code from a remote host. This is often achieved by exploiting gadget chains within the application's classpath that enable code execution when specific objects are deserialized. The absence of a properly configured XStream security framework with a strict whitelist of allowed types is critical for this vulnerability to be exploitable, as it allows the introduction of untrusted types.
What is the Impact of CVE-2021-39149?
Successful exploitation may allow attackers to execute arbitrary code on the target system, leading to complete system compromise, data exfiltration, or further attacks on the network.
What is the Exploitability of CVE-2021-39149?
The complexity for exploiting this vulnerability can be high, as it requires crafting sophisticated payloads and potentially identifying suitable deserialization gadgets. Authentication requirements are dependent on how the application handles input; typically, if an unauthenticated user can submit data to be unmarshalled, the vulnerability is remotely exploitable without authentication. The attack is remote. Privilege requirements for the attacker are minimal; the injected code will execute with the privileges of the application running XStream. The most significant condition for exploitation is the absence of an XStream security framework configured with a whitelist of permitted types, as XStream 1.4.18 and later no longer use a general-purpose blacklist by default.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-39149?
Available Upgrade Options
- com.thoughtworks.xstream:xstream
- <1.4.18 → Upgrade to 1.4.18
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://lists.debian.org/debian-lts-announce/2021/09/msg00017.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/
- https://x-stream.github.io/CVE-2021-39149.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.debian.org/security/2021/dsa-5004
- https://github.com/x-stream/xstream
- https://github.com/x-stream/xstream/security/advisories/GHSA-3ccq-5vw3-2p6x
What are Similar Vulnerabilities to CVE-2021-39149?
Similar Vulnerabilities: CVE-2017-1000487 , CVE-2020-25649 , CVE-2021-21390 , CVE-2021-29505 , CVE-2021-21345
