Recently, DBAPPSecurity SRC has monitored that XStream has officially released a security update bulletin, patching a remote command execution vulnerability in versions prior to 1.4.16. The vulnerability corresponds to the CVE number: CVE-2021-29505. For related links, please refer to:
https://x-stream.github.io/CVE-2021-29505.html
The vulnerability may allow a remote attacker to have sufficient authority to execute commands from the host only by manipulating the processed input stream, thereby gaining the management authority of the target system. It is recommended to update to the bug-fixed version as soon as possible.
XStream historical security bulletin reference:
https://x-stream.github.io/security.html
Scope of Impact
The XStream remote code execution vulnerability mainly affects the following versions: Version before 1.4.16, it is recommended to update to version 1.4.17 and above. download link:
http://x-stream.github.io/download.html
Vulnerability Description
CVE-2021-29505 vulnerability. According to the analysis, XStream has a remote command execution vulnerability when unmarshalling XML (including JSON). Malicious attackers can successfully use this vulnerability to bypass XStream’s blacklist and achieve the effect of deserialized remote code execution.
Mitigation Measures
High risk: At present, the details of the vulnerability have been semi-public, and the official POC code has been posted. At the same time, malicious attackers can also analyze the vulnerability trigger point through patch comparison and further develop the exploit code. It is recommended to test the version of the vulnerability repair and upgrade in time. Or take temporary mitigation measures to strengthen the system. For more details on mitigation measures, please refer to :
https://x-stream.github.io/security.html
DBAPPSecurity SRC