CVE-2021-39154
arbitrary code execution vulnerability in com.thoughtworks.xstream:xstream
What is CVE-2021-39154 About?
This vulnerability enables a remote attacker to load and execute arbitrary code by manipulating the processed input stream in XStream. It can lead to severe system compromise or data exfiltration. Exploitation is relatively easy if the XStream security framework is not configured with a whitelist.
Affected Software
Technical Details
The vulnerability in XStream arises from the use of a default blacklist in its security framework, which XStream 1.4.18 and later acknowledges as insufficient for general-purpose security. An attacker can craft a malicious input stream (e.g., XML) that, when deserialized by a vulnerable XStream application, bypasses the blacklist. This allows the attacker to instruct the application to load and execute arbitrary code from a remote host, thereby achieving remote code execution on the target system. The absence of a strong whitelist (minimal required types) is key to its exploitability.
What is the Impact of CVE-2021-39154?
Successful exploitation may allow attackers to execute arbitrary code, leading to system compromise, data leakage, denial of service, or unauthorized control over the affected system.
What is the Exploitability of CVE-2021-39154?
Exploitation requires a remote attacker to supply a specially crafted input stream to an application using XStream. The complexity is moderate, involving knowledge of deserialization gadget chains. No authentication or prior privileges are explicitly required. The attack is remote. The primary prerequisite is that the target application uses an affected XStream version and relies on the default blacklist instead of a robust whitelist, which effectively removes the necessary security barrier against such attacks. The processing of untrusted input makes exploitation more likely.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-39154?
Available Upgrade Options
- com.thoughtworks.xstream:xstream
- <1.4.18 → Upgrade to 1.4.18
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://lists.debian.org/debian-lts-announce/2021/09/msg00017.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/
- https://github.com/x-stream/xstream/security/advisories/GHSA-6w62-hx7r-mw68
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://x-stream.github.io/CVE-2021-39154.html
- https://www.debian.org/security/2021/dsa-5004
- https://github.com/x-stream/xstream
What are Similar Vulnerabilities to CVE-2021-39154?
Similar Vulnerabilities: CVE-2021-21347 , CVE-2021-39141 , CVE-2021-29505 , CVE-2019-10173 , CVE-2013-7285
