CVE-2021-21347 (Medium) Detected In Xstream-1.4.5.jar

CVE-2021-21347 (Medium) Detected in xstream-1.4.5.jar: A Critical Vulnerability in Java Serialization Library

Introduction

XStream is a widely used Java library for serializing objects to XML and back again. However, a critical vulnerability, CVE-2021-21347, was discovered in XStream versions prior to 1.4.16. This vulnerability allows a remote attacker to load and execute arbitrary code from a remote host by manipulating the processed input stream. In this article, we will delve into the details of this vulnerability, its impact, and the suggested fix.

CVE-2021-21347: A Medium Severity Vulnerability

CVE-2021-21347 is a medium severity vulnerability in XStream, a Java library used for serializing objects to XML and back again. The vulnerability was discovered in XStream versions prior to 1.4.16 and allows a remote attacker to load and execute arbitrary code from a remote host by manipulating the processed input stream.

Vulnerable Library

The vulnerable library is xstream-1.4.5.jar, which is a part of the XStream library. This library is used for serializing objects to XML and back again.

Dependency Hierarchy

The dependency hierarchy of the vulnerable library is as follows:

• xstream-1.4.5.jar (Vulnerable Library)

Found in HEAD Commit

The vulnerable library was found in the HEAD commit of the SAST-Test-Repo-69eec189-e884-4d21-b129-b76430e30c97 repository, with the commit hash b19938a045bfea1defab9c2a9a22e57af023d02a.

Found in Base Branch

The vulnerable library was also found in the base branch main.

Vulnerability Details

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.

Publish Date

The publish date of the vulnerability is 2021-03-22.

URL

The URL of the vulnerability is https://www.mend.io/vulnerability-database/CVE-2021-21347.

CVSS 3 Score Details

The CVSS 3 score of the vulnerability is 6.1, which indicates a medium severity vulnerability.

Base Score Metrics

The base score metrics of the vulnerability are as follows:

• Attack Vector: Network
• Attack Complexity: High
• Privileges Required: None
• User Interaction: Required
• Scope: Changed

Impact Metrics

The impact metrics of the vulnerability are as follows:

• Confidentiality Impact: None
• Integrity Impact: High
• Availability Impact: None

Suggested Fix

The suggested fix for the vulnerability is to upgrade the version of XStream to at least 1.4.16.

Type

The of the suggested fix is Upgrade version.

Origin

The origin of the suggested fix is https://github.com/x-stream/xstream/security/advisories/GHSA-qpfq-ph7r-qv6f.

Release Date

The release date of the suggested fix is 2021-03-22.

Fix Resolution

The fix resolution of the suggested fix is 1.4.16.

Conclusion

In conclusion, CVE-2021-21347 is a critical vulnerability in XStream, a widely used Java library for serializing objects to XML and back again. The vulnerability allows a remote attacker to load and execute arbitrary code from a remote host by manipulating the processed input stream. The suggested fix is to upgrade the version of XStream to at least 1.4.16. It is essential to address this vulnerability to prevent potential security risks.

Recommendations

• Upgrade the version of XStream to at least 1.4.16.
• Review the dependency hierarchy of the vulnerable library.
• Check the HEAD commit and base branch for the vulnerable library.
• Follow the recommended security framework setup for XStream.
• Use a whitelist limited to the minimal required types.

Additional Resources

• XStream library home page: http://codehaus.org/xstream-parent/xstream/
• CVE-2021-21347 vulnerability details: https://www.mend.io/vulnerability-database/CVE-2021-21347
• CVSS 3 score calculator: https://www.first.org/cvss/calculator/3.0
  CVE-2021-21347 (Medium) Detected in xstream-1.4.5.jar: A Critical Vulnerability in Java Serialization Library - Q&A

Introduction

In our previous article, we discussed the critical vulnerability, CVE-2021-21347, in XStream, a widely used Java library for serializing objects to XML and back again. In this article, we will answer some frequently asked questions (FAQs) related to this vulnerability.

Q&A

Q: What is XStream?

A: XStream is a Java library for serializing objects to XML and back again. It is widely used in Java applications for data exchange and storage.

Q: What is CVE-2021-21347?

A: CVE-2021-21347 is a critical vulnerability in XStream, which allows a remote attacker to load and execute arbitrary code from a remote host by manipulating the processed input stream.

Q: What is the impact of CVE-2021-21347?

A: The impact of CVE-2021-21347 is a medium severity vulnerability, which can allow a remote attacker to execute arbitrary code on the system.

Q: What is the CVSS 3 score of CVE-2021-21347?

A: The CVSS 3 score of CVE-2021-21347 is 6.1, which indicates a medium severity vulnerability.

Q: What is the suggested fix for CVE-2021-21347?

A: The suggested fix for CVE-2021-21347 is to upgrade the version of XStream to at least 1.4.16.

Q: Why is it essential to address CVE-2021-21347?

A: It is essential to address CVE-2021-21347 because it can allow a remote attacker to execute arbitrary code on the system, which can lead to data breaches, system compromise, and other security risks.

Q: How can I check if my application is vulnerable to CVE-2021-21347?

A: You can check if your application is vulnerable to CVE-2021-21347 by reviewing the dependency hierarchy of the vulnerable library and checking the version of XStream used in your application.

Q: What are the best practices to prevent similar vulnerabilities in the future?

A: The best practices to prevent similar vulnerabilities in the future are:

• Regularly review and update dependencies
• Use a whitelist limited to the minimal required types
• Follow the recommended security framework setup for XStream
• Use a secure version of XStream

Q: What are the consequences of not addressing CVE-2021-21347?

A: The consequences of not addressing CVE-2021-21347 can be severe, including:

• Data breaches
• System compromise
• Loss of sensitive data
• Reputation damage

Conclusion

In conclusion, CVE-2021-21347 is a critical vulnerability in XStream, which can allow a remote attacker to execute arbitrary code on the system. It is essential to address this vulnerability by upgrading the version of XStream to at least 1.4.16 and following the recommended security framework setup for XStream.

Recommendations

• Regularly review and update dependencies
• Use a whitelist limited to the minimal required types
• Follow the recommended security framework setup for XStream
• Use a secure version of XStream
• Address CVE-2021-213 as soon as possible to prevent potential security risks.

Additional Resources

• XStream library home page: http://codehaus.org/xstream-parent/xstream/
• CVE-2021-21347 vulnerability details: https://www.mend.io/vulnerability-database/CVE-2021-21347
• CVSS 3 score calculator: https://www.first.org/cvss/calculator/3.0