CVE-2021-39151
Remote Code Execution vulnerability in com.thoughtworks.xstream:xstream
What is CVE-2021-39151 About?
This vulnerability enables a remote attacker to execute arbitrary code by manipulating the processed input stream. The impact is severe, potentially leading to full system compromise. Exploitation is relatively straightforward if the application processes untrusted input via XStream without proper security measures.
Affected Software
Technical Details
The vulnerability stems from XStream's deserialization process, where a crafted input stream can lead to the loading and execution of arbitrary code from a remote host. This scenario occurs when XStream is configured to process untrusted XML or JSON input without a strict whitelist for allowed types. An attacker can inject specific gadget chains into the input stream that, upon deserialization, trigger the instantiation of arbitrary classes and method calls, bypassing XStream's default blacklist. This allows for remote compromise of the system running the vulnerable XStream application.
What is the Impact of CVE-2021-39151?
Successful exploitation may allow attackers to execute arbitrary code, leading to complete system control, data theft, or denial of service.
What is the Exploitability of CVE-2021-39151?
Exploitation is of moderate complexity, necessitating understanding of XStream's internal workings and Java deserialization. No authentication is required, as the attack vectors involve manipulating data streams directly. There are no specific privilege requirements on the target system to initiate the attack. This is a remote vulnerability, allowing an attacker to exploit it across a network. A key prerequisite is the processing of untrusted input through XStream without a security framework configured with a whitelist of permissible types. The default blacklist is often insufficient, increasing the likelihood of successful exploitation.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-39151?
Available Upgrade Options
- com.thoughtworks.xstream:xstream
- <1.4.18 → Upgrade to 1.4.18
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://lists.debian.org/debian-lts-announce/2021/09/msg00017.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://osv.dev/vulnerability/GHSA-hph2-m3g5-xxv4
- https://x-stream.github.io/CVE-2021-39151.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.debian.org/security/2021/dsa-5004
- https://github.com/x-stream/xstream
What are Similar Vulnerabilities to CVE-2021-39151?
Similar Vulnerabilities: CVE-2021-39153 , CVE-2021-21350 , CVE-2020-26217 , CVE-2020-26258 , CVE-2017-7957
