CVE-2021-39150
remote attacker vulnerability in xstream (Maven)
What is CVE-2021-39150 About?
This vulnerability allows a remote attacker to request data from internal resources that are not publicly available by manipulating the processed input stream. This can lead to information disclosure or server-side request forgery (SSRF). Exploitation depends on an XStream security framework without a whitelist and targets specific Java runtime versions (14 to 8).
Affected Software
Technical Details
The vulnerability occurs during the unmarshalling process in XStream, specifically when running on Java runtime versions 8 through 14. An attacker can manipulate the processed input stream to induce XStream to make requests to internal resources, typically by leveraging deserialization of specific Java objects that can initiate network connections or file system access, such as URL objects or similar network-aware classes. This mechanism is known as Server-Side Request Forgery (SSRF). Without a properly configured XStream security framework using a whitelist, the application trusts and deserializes objects that can perform unauthorized network requests to internal services or local files, revealing sensitive information.
What is the Impact of CVE-2021-39150?
Successful exploitation may allow attackers to access internal network resources, sensitive data, or perform actions from the server's perspective, leading to information disclosure and potential further compromise.
What is the Exploitability of CVE-2021-39150?
Exploitation complexity is moderate, requiring the attacker to understand Java deserialization gadgets and how to incorporate them into a malicious XStream input. No specific authentication is required if the input processing endpoint is publicly accessible. This is a remote vulnerability. The attacker does not need elevated privileges, as the requests are made by the vulnerable application's process. A critical condition is that the target system is using Java runtime versions 8 through 14, and the XStream security framework is not configured with a whitelist of allowed types, making the system vulnerable to SSRF.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-39150?
Available Upgrade Options
- com.thoughtworks.xstream:xstream
- <1.4.18 → Upgrade to 1.4.18
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://lists.debian.org/debian-lts-announce/2021/09/msg00017.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://osv.dev/vulnerability/GHSA-cxfm-5m4g-x7xp
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.debian.org/security/2021/dsa-5004
- https://github.com/x-stream/xstream
- https://github.com/x-stream/xstream/security/advisories/GHSA-cxfm-5m4g-x7xp
What are Similar Vulnerabilities to CVE-2021-39150?
Similar Vulnerabilities: CVE-2014-0095 , CVE-2016-3620 , CVE-2017-1000487 , CVE-2018-1000861 , CVE-2021-21345
