CVE-2021-39153
Remote Code Execution vulnerability in com.thoughtworks.xstream:xstream
What is CVE-2021-39153 About?
This vulnerability allows a remote attacker to execute arbitrary code by manipulating the processed input stream, particularly when XStream is used with Java runtime version 14 to 8 or with JavaFX installed. Its impact is severe, leading to potential complete system compromise. Exploitation is relatively easy if the affected configuration is present and no security framework with whitelisting is applied.
Affected Software
Technical Details
The vulnerability arises from insufficiencies in XStream's default security mechanisms, specifically when a blacklist-based approach is used. An attacker can craft a malicious input stream that, when processed by XStream, leverages specific deserialization gadgets available in Java runtime versions 8-14 or with JavaFX. This manipulated input stream circumvents the blacklist, enabling the loading and execution of arbitrary code from a remote host without explicit user interaction. The core mechanism involves abusing Java's deserialization process to instantiate and invoke methods on arbitrary classes, bypassing security restrictions.
What is the Impact of CVE-2021-39153?
Successful exploitation may allow attackers to achieve arbitrary code execution, gain full control over the compromised system, or cause data corruption and service disruption.
What is the Exploitability of CVE-2021-39153?
Exploitation of this vulnerability is considered to be of moderate complexity, requiring knowledge of Java deserialization chains and XStream's processing mechanisms. No authentication is required, as the attack is performed by manipulating the input stream directly. No special privileges are needed on the target system for the initial code execution. The vulnerability is remotely exploitable, meaning an attacker can craft and send a malicious input stream over the network. Prerequisites include the use of specific Java runtime versions (14 to 8) or JavaFX, and the absence of a properly configured XStream security framework with whitelisting. The likelihood of exploitation increases significantly if the application uses XStream out-of-the-box without custom security configurations.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-39153?
Available Upgrade Options
- com.thoughtworks.xstream:xstream
- <1.4.18 → Upgrade to 1.4.18
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://lists.debian.org/debian-lts-announce/2021/09/msg00017.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/
- https://x-stream.github.io/CVE-2021-39153.html
- https://github.com/x-stream/xstream/security/advisories/GHSA-2q8x-2p7f-574v
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.debian.org/security/2021/dsa-5004
- https://nvd.nist.gov/vuln/detail/CVE-2021-39153
What are Similar Vulnerabilities to CVE-2021-39153?
Similar Vulnerabilities: CVE-2021-39151 , CVE-2021-21350 , CVE-2020-26217 , CVE-2020-26258 , CVE-2017-7957
