Vulnerability Description
Recently, NSFOCUS detected that XStream released security advisories disclosing 11 security vulnerabilities in its products. An attacker could exploit these vulnerabilities to conduct DoS and SSRF attacks, delete arbitrary files, and lead to arbitrary RCE.
XStream is a tool for converting between Java objects and XML. When serializing JavaBeans or deserializing XML files, it does not require other auxiliary classes and mapping files, which makes XML serialization no longer cumbersome.
CVE-2021-21341: An attacker can manipulate the processed input stream and replace or inject a manipulated ByteArrayInputStream (or derived class), which can cause an endless loop resulting in a denial of service.
CVE-2021-21342: An attacker can manipulate the processed input stream and replace or inject objects, resulting in a SSRF.
CVE-2021-21343: An attacker can manipulate the processed input stream and replace or inject objects, thus resulting in deletion of arbitrary files on the local host.
CVE-2021-21344: An attacker can manipulate the processed input stream and replace or inject objects, thus resulting in execution of arbitrary code loaded from a remote server.
CVE-2021-21345: An attacker can manipulate the processed input stream and replace or inject objects, thus resulting in execution of a local command on the server.
CVE-2021-21346: An attacker can manipulate the processed input stream and replace or inject objects, thus resulting in execution of arbitrary code loaded from a remote server.
CVE-2021-21347: An attacker can manipulate the processed input stream and replace or inject objects, thus resulting in execution of arbitrary code loaded from a remote server.
CVE-2021-21348: An attacker can manipulate the processed input stream and replace or inject objects, which results in executed evaluation of a malicious regular expression causing a denial of service.
CVE-2021-21349: An attacker can manipulate the processed input stream and replace or inject objects, resulting in a SSRF.
CVE-2021-21350: An attacker can manipulate the processed input stream and replace or inject objects, resulting in arbitrary code execution.
CVE-2021-21351: An attacker can manipulate the processed input stream and replace or inject objects, thus resulting in execution of arbitrary code loaded from a remote server. Reference link:
https://x-stream.github.io/security.html#workaround
Scope of Impact
Affected Versions
- Xstream <= 1.4.15
Unaffected Versions
- Xstream = 1.4.16
Mitigation
Official Fix
Currently, this vulnerability has been fixed in the latest version. If you are affected by this vulnerability, please upgrade your installation as soon as possible via https://x-stream.github.io/download.html.
Workaround
If it is impossible to upgrade currently, users can take the following mitigation measures by referring to the official link:
https://x-stream.github.io/security.html#workaround
Statement
This advisory is only used to describe a potential risk. NSFOCUS does not provide any commitment or promise on this advisory. NSFOCUS and the author will not bear any liability for any direct and/or indirect consequences and losses caused by transmitting and/or using this advisory. NSFOCUS reserves all the rights to modify and interpret this advisory. Please include this statement paragraph when reproducing or transferring this advisory. Do not modify this advisory, add/delete any information to/from it, or use this advisory for commercial purposes without permission from NSFOCUS.