CVE-2021-39152
Server-Side Request Forgery (SSRF) vulnerability in xstream (Maven)
What is CVE-2021-39152 About?
This vulnerability allows a remote attacker to perform Server-Side Request Forgery (SSRF) by manipulating the processed input stream of XStream, specifically impacting Java runtime versions 14 to 8. It enables an attacker to access internal resources not publicly available, making it a high-impact issue that can be exploited remotely with a crafted input stream. Exploitation is relatively easy if the XStream security framework is not properly configured.
Affected Software
Technical Details
The vulnerability allows a remote attacker to read data from internal resources that are not publicly exposed. This is achieved by manipulating the processed input stream of XStream, where a crafted input leverages deserialization mechanisms to construct requests to internal endpoints. When XStream processes this malicious input, it is coerced into making requests to internal network locations or services, effectively bypassing network segmentation or access controls. This vulnerability specifically affects Java runtime versions 14 down to 8 and relies on the absence of a restrictive security framework, such as a whitelist for allowed types, within XStream's configuration.
What is the Impact of CVE-2021-39152?
Successful exploitation may allow attackers to access internal network resources, sensitive data, or perform actions that are typically restricted, potentially leading to further compromise.
What is the Exploitability of CVE-2021-39152?
Exploitation requires a remote attacker to manipulate the processed input stream. No specific authentication or privilege requirements are mentioned. The attack is remote, making it accessible from outside the affected system's immediate network. The complexity is low to moderate, as it primarily involves sending a specially crafted input stream to XStream. The likelihood of exploitation is significantly reduced if XStream's security framework is configured with a strict whitelist of allowed types, preventing the malicious deserialization that leads to SSRF.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-39152?
Available Upgrade Options
- com.thoughtworks.xstream:xstream
- <1.4.18 → Upgrade to 1.4.18
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://lists.debian.org/debian-lts-announce/2021/09/msg00017.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://x-stream.github.io/CVE-2021-39152.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.debian.org/security/2021/dsa-5004
- https://github.com/x-stream/xstream
- https://security.netapp.com/advisory/ntap-20210923-0003/
What are Similar Vulnerabilities to CVE-2021-39152?
Similar Vulnerabilities: CVE-2021-39146 , CVE-2021-39148 , CVE-2021-21346 , CVE-2018-11770 , CVE-2020-1945
