CVE-2021-29505: XStream is vulnerable to a Remote Command Execution attack
First published: Fri May 14 2021(Updated: )
XStream is software for serializing Java objects to XML and back again. A vulnerability in XStream versions prior to 1.4.17 may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types is affected. The vulnerability is patched in version 1.4.17.
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/xstream | <0:1.3.1-14.el7_9 | 0:1.3.1-14.el7_9 |
| debian/libxstream-java | 1.4.11.1-1+deb10u3 1.4.11.1-1+deb10u4 1.4.15-3+deb11u2 1.4.20-1 | |
| redhat/xstream | <1.4.17 | 1.4.17 |
| Xstream Project Xstream | <1.4.17 | |
| Debian Debian Linux | =9.0 | |
| Debian Debian Linux | =10.0 | |
| Debian Debian Linux | =11.0 | |
| Fedoraproject Fedora | =33 | |
| Fedoraproject Fedora | =34 | |
| Fedoraproject Fedora | =35 | |
| Netapp Snapmanager Oracle | ||
| Netapp Snapmanager Sap | ||
| Oracle Banking Cash Management | =14.2 | |
| Oracle Banking Cash Management | =14.3 | |
| Oracle Banking Cash Management | =14.5 | |
| Oracle Banking Corporate Lending Process Management | =14.2.0 | |
| Oracle Banking Corporate Lending Process Management | =14.3.0 | |
| Oracle Banking Corporate Lending Process Management | =14.5.0 | |
| Oracle Banking Credit Facilities Process Management | =14.2.0 | |
| Oracle Banking Credit Facilities Process Management | =14.3.0 | |
| Oracle Banking Credit Facilities Process Management | =14.5.0 | |
| Oracle Banking Supply Chain Finance | =14.2.0 | |
| Oracle Banking Trade Finance Process Management | =14.5.0 | |
| Oracle Business Activity Monitoring | =11.1.1.9.0 | |
| Oracle Business Activity Monitoring | =12.2.1.3.0 | |
| Oracle Business Activity Monitoring | =12.2.1.4.0 | |
| Oracle Communications Brm - Elastic Charging Engine | =11.3 | |
| Oracle Communications Brm - Elastic Charging Engine | =12.0 | |
| Oracle Communications Unified Inventory Management | =7.3.4 | |
| Oracle Communications Unified Inventory Management | =7.3.5 | |
| Oracle Communications Unified Inventory Management | =7.4.0 | |
| Oracle Communications Unified Inventory Management | =7.4.1 | |
| Oracle Communications Unified Inventory Management | =7.4.2 | |
| Oracle Enterprise Manager Ops Center | =12.4.0.0 | |
| Oracle Retail Xstore Point of Service | =16.0.6 | |
| Oracle Retail Xstore Point of Service | =17.0.4 | |
| Oracle Retail Xstore Point of Service | =18.0.3 | |
| Oracle Retail Xstore Point of Service | =19.0.2 | |
| Oracle Retail Xstore Point of Service | =20.0.1 | |
| Oracle WebCenter Portal | =12.2.1.3.0 | |
| Oracle WebCenter Portal | =12.2.1.4.0 | |
| Oracle WebCenter Sites | =12.2.1.3.0 | |
| Oracle WebCenter Sites | =12.2.1.4.0 |
Remedy
Depending on the version of XStream used there are various usage patterns that mitigate this flaw, though we would strongly recommend using the allow list approach if at all possible as there are likely more class combinations the deny list approach may not address. Allow list approach ```java XStream xstream = new XStream(); XStream.setupDefaultSecurity(xstream); xstream.allowTypesByWildcard(new String[] {"com.misc.classname"}) ``` Deny list for XStream 1.4.16 (this should also address some previous flaws found in 1.4.7 - > 1.4.15) ```java xstream.denyTypesByRegExp(new String[]{ ".*\\.Lazy(?:Search)?Enumeration.*", "(?:java|sun)\\.rmi\\..*" }); ``` Deny list for XStream 1.4.15 ```java xstream.denyTypes(new String[]{ "sun.awt.datatransfer.DataTransferer$IndexOrderComparator", "sun.swing.SwingLazyValue", "com.sun.corba.se.impl.activation.ServerTableEntry", "com.sun.tools.javac.processing.JavacProcessingEnvironment$NameProcessIterator" }); xstream.denyTypesByRegExp(new String[]{ ".*\\$ServiceNameIterator", "javafx\\.collections\\.ObservableList\\$.*", ".*\\.bcel\\..*\\.util\\.ClassLoader" }); xstream.denyTypeHierarchy(java.io.InputStream.class ); xstream.denyTypeHierarchy(java.nio.channels.Channel.class ); xstream.denyTypeHierarchy(javax.activation.DataSource.class ); xstream.denyTypeHierarchy(javax.sql.rowset.BaseRowSet.class ); ``` Deny list for XStream 1.4.13 ```java xstream.denyTypes(new String[]{ "javax.imageio.ImageIO$ContainsFilter" }); xstream.denyTypes(new Class[]{ java.lang.ProcessBuilder.class }); ``` Deny list for XStream 1.4.7 -> 1.4.12 ```java xstream.denyTypes(new String[]{ "javax.imageio.ImageIO$ContainsFilter" }); xstream.denyTypes(new Class[]{ java.lang.ProcessBuilder.class, java.beans.EventHandler.class, java.lang.ProcessBuilder.class, java.lang.Void.class, void.class }); ``` Deny list for versions prior to XStream 1.4.7 ```java xstream.registerConverter(new Converter() { public boolean canConvert(Class type) { return type != null && (type == java.beans.EventHandler.class || type == java.lang.ProcessBuilder.class || type == java.lang.Void.class || void.class || type.getName().equals("javax.imageio.ImageIO$ContainsFilter") || Proxy.isProxy(type)); } public Object unmarshal(HierarchicalStreamReader reader, UnmarshallingContext context) { throw new ConversionException("Unsupported type due to security reasons."); } public void marshal(Object source, HierarchicalStreamWriter writer, MarshallingContext context) { throw new ConversionException("Unsupported type due to security reasons."); } }, XStream.PRIORITY_LOW); ```
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2021-29505 https://nvd.nist.gov/vuln/detail/CVE-2021-29505 https://github.com/x-stream/xstream/security/advisories/GHSA-7chv-rrw6-w6fc https://x-stream.github.io/CVE-2021-29505.html
- https://bugzilla.redhat.com/show_bug.cgi?id=1966735
- https://access.redhat.com/errata/RHSA-2022:0520
- https://access.redhat.com/errata/RHSA-2022:0297
- https://access.redhat.com/errata/RHSA-2021:2683
- https://access.redhat.com/errata/RHSA-2021:4918
- https://access.redhat.com/errata/RHSA-2021:4767
- https://access.redhat.com/errata/RHSA-2022:5532
- https://access.redhat.com/errata/RHSA-2022:0296
- https://access.redhat.com/security/cve/cve-2021-29505
- https://github.com/x-stream/xstream/security/advisories/GHSA-7chv-rrw6-w6fc
- https://github.com/x-stream/xstream/commit/f0c4a8d861b68ffc3119cfbbbd632deee624e227
- https://security-tracker.debian.org/tracker/CVE-2021-29505
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1966736
- https://access.redhat.com/documentation/en-us/red_hat_jboss_fuse/6.3/html/apache_camel_component_reference/idu-xstream
- https://github.com/x-stream/xstream/commit/24fac82191292c6ae25f94508d28b9823f83624f
- https://lists.apache.org/thread.html/r8ee51debf7fd184b6a6b020dc31df25118b0aa612885f12fbe77f04f@%3Cdev.jmeter.apache.org%3E
- https://lists.debian.org/debian-lts-announce/2021/07/msg00004.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/
- https://security.netapp.com/advisory/ntap-20210708-0007/
- https://www.debian.org/security/2021/dsa-5004
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://lists.apache.org/thread.html/r8ee51debf7fd184b6a6b020dc31df25118b0aa612885f12fbe77f04f%40%3Cdev.jmeter.apache.org%3E
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is CVE-2021-29505?
CVE-2021-29505 is a vulnerability in XStream, a software for serializing Java objects to XML, which allows a remote attacker to execute commands by manipulating the input stream.
What is the severity of CVE-2021-29505?
The severity of CVE-2021-29505 is high with a CVSS score of 8.8.
Which versions of XStream are affected by CVE-2021-29505?
Versions of XStream prior to 1.4.17 are affected by CVE-2021-29505.
How can I fix CVE-2021-29505?
To fix CVE-2021-29505, it is recommended to update XStream to version 1.4.17 or later.
Where can I find more information about CVE-2021-29505?
You can find more information about CVE-2021-29505 on the GitHub security advisory and the Red Hat Bugzilla page.
- collector/redhat-cve
- collector/security-tracker-debian
- agent/first-publish-date
- agent/type
- agent/remedy
- agent/author
- agent/severity
- agent/weakness
- agent/description
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2021-29505
- agent/software-canonical-lookup
- collector/nvd-index
- agent/software-canonical-lookup-request
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/title
- agent/references
- agent/tags
- agent/event
- package-manager/redhat
- package-manager/debian
- vendor/xstream project
- canonical/xstream project xstream
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/9.0
- version/debian debian linux/10.0
- version/debian debian linux/11.0
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/33
- version/fedoraproject fedora/34
- version/fedoraproject fedora/35
- vendor/netapp
- canonical/netapp snapmanager oracle
- canonical/netapp snapmanager sap
- vendor/oracle
- canonical/oracle banking cash management
- version/oracle banking cash management/14.2
- version/oracle banking cash management/14.3
- version/oracle banking cash management/14.5
- canonical/oracle banking corporate lending process management
- version/oracle banking corporate lending process management/14.2.0
- version/oracle banking corporate lending process management/14.3.0
- version/oracle banking corporate lending process management/14.5.0
- canonical/oracle banking credit facilities process management
- version/oracle banking credit facilities process management/14.2.0
- version/oracle banking credit facilities process management/14.3.0
- version/oracle banking credit facilities process management/14.5.0
- canonical/oracle banking supply chain finance
- version/oracle banking supply chain finance/14.2.0
- canonical/oracle banking trade finance process management
- version/oracle banking trade finance process management/14.5.0
- canonical/oracle business activity monitoring
- version/oracle business activity monitoring/11.1.1.9.0
- version/oracle business activity monitoring/12.2.1.3.0
- version/oracle business activity monitoring/12.2.1.4.0
- canonical/oracle communications brm - elastic charging engine
- version/oracle communications brm - elastic charging engine/11.3
- version/oracle communications brm - elastic charging engine/12.0
- canonical/oracle communications unified inventory management
- version/oracle communications unified inventory management/7.3.4
- version/oracle communications unified inventory management/7.3.5
- version/oracle communications unified inventory management/7.4.0
- version/oracle communications unified inventory management/7.4.1
- version/oracle communications unified inventory management/7.4.2
- canonical/oracle enterprise manager ops center
- version/oracle enterprise manager ops center/12.4.0.0
- canonical/oracle retail xstore point of service
- version/oracle retail xstore point of service/16.0.6
- version/oracle retail xstore point of service/17.0.4
- version/oracle retail xstore point of service/18.0.3
- version/oracle retail xstore point of service/19.0.2
- version/oracle retail xstore point of service/20.0.1
- canonical/oracle webcenter portal
- version/oracle webcenter portal/12.2.1.3.0
- version/oracle webcenter portal/12.2.1.4.0
- canonical/oracle webcenter sites
- version/oracle webcenter sites/12.2.1.3.0
- version/oracle webcenter sites/12.2.1.4.0