CVE-2021-21344 Overview
CVE-2021-21344 is a critical insecure deserialization vulnerability in XStream, a widely-used Java library for serializing objects to XML and back. In XStream versions prior to 1.4.16, a remote attacker can load and execute arbitrary code from a remote host by manipulating the processed input stream. This vulnerability bypasses XStream's default blacklist-based security framework, allowing attackers to achieve remote code execution without authentication.
Users who configured XStream's security framework with a whitelist limited to minimal required types are not affected. However, those relying on XStream's default blacklist protection must upgrade to at least version 1.4.16 to mitigate this vulnerability.
Critical Impact
Remote attackers can achieve arbitrary code execution by sending malicious XML payloads to applications using vulnerable XStream versions, potentially leading to complete system compromise.
Affected Products
- XStream versions prior to 1.4.16
- Apache ActiveMQ (versions 5.16.0, 5.16.1, and earlier)
- Apache JMeter
- NetApp OnCommand Insight
- Oracle MySQL Server, Banking Platform, WebCenter Portal, and multiple Oracle products
- Debian Linux 9.0, 10.0, 11.0
- Fedora 33, 34, 35
Discovery Timeline
- 2021-03-23 - CVE-2021-21344 published to NVD
- 2025-05-23 - Last updated in NVD database
Technical Details for CVE-2021-21344
Vulnerability Analysis
This vulnerability represents a fundamental weakness in XStream's deserialization handling. When XStream processes XML input containing specially crafted object graphs, it can be tricked into instantiating arbitrary Java classes and invoking methods that lead to remote code execution. The vulnerability exists because XStream's default security model relies on a blacklist approach, which attempts to block known dangerous classes but fails to anticipate all possible attack vectors.
The flaw allows attackers to construct XML payloads that reference classes not included in the blacklist, effectively bypassing the security controls. When these payloads are deserialized by a vulnerable XStream instance, the attacker-controlled code executes within the context of the application, inheriting its privileges and access to system resources.
Root Cause
The root cause of CVE-2021-21344 lies in XStream's default reliance on a blacklist-based security mechanism rather than a whitelist approach. The blacklist attempts to prevent deserialization of known dangerous classes, but this reactive approach cannot anticipate all possible gadget chains that attackers might discover. Additionally, XStream's permissive default configuration allows the deserialization of complex object graphs without proper validation of the class types being instantiated.
The vulnerability is classified under CWE-434 (Unrestricted Upload of File with Dangerous Type), though it more broadly relates to insecure deserialization patterns where untrusted input controls object instantiation.
Attack Vector
The attack is network-based and requires no authentication or user interaction. An attacker crafts a malicious XML payload containing serialized Java objects that, when deserialized by XStream, trigger arbitrary code execution. The attacker can leverage Java gadget chains present in the application's classpath to construct the attack payload.
The exploitation process typically involves:
- Identifying an application endpoint that accepts XML input processed by XStream
- Analyzing the application's classpath for exploitable gadget chains
- Constructing a malicious XML payload that chains together objects to achieve code execution
- Sending the payload to the vulnerable endpoint
- The XStream library deserializes the payload, instantiating the malicious objects and executing attacker-controlled code
The vulnerability allows loading and executing arbitrary code from a remote host, meaning attackers can instruct the compromised application to fetch and execute additional payloads from attacker-controlled servers.
Detection Methods for CVE-2021-21344
Indicators of Compromise
- Unusual outbound network connections from Java applications to unknown external hosts
- Unexpected process spawning from Java Virtual Machine (JVM) processes
- Anomalous XML payloads in application logs containing references to uncommon Java classes such as javax.swing, com.sun, or reflection-related classes
- Evidence of remote class loading or dynamic code execution in application logs
Detection Strategies
- Monitor application logs for XML deserialization errors or exceptions related to blocked class types
- Implement network monitoring to detect outbound connections from application servers to unexpected destinations
- Deploy runtime application self-protection (RASP) solutions to detect deserialization attacks
- Scan application dependencies using software composition analysis (SCA) tools to identify vulnerable XStream versions
- Review application endpoints that accept XML input for proper input validation and XStream security configuration
Monitoring Recommendations
- Enable verbose logging for XStream operations to capture deserialization attempts
- Monitor JVM metrics for unusual memory allocation patterns or CPU spikes that may indicate exploitation attempts
- Implement intrusion detection rules to identify malicious XML payloads targeting XStream vulnerabilities
- Regularly audit application dependencies and their versions against known vulnerability databases
How to Mitigate CVE-2021-21344
Immediate Actions Required
- Upgrade XStream to version 1.4.16 or later immediately
- Review and update all applications using XStream as a dependency, including Apache ActiveMQ, Apache JMeter, and Oracle products
- Implement XStream's security framework with an explicit whitelist of allowed types rather than relying on the default blacklist
- Audit all endpoints accepting XML input to identify exposure to this vulnerability
- Consider implementing network segmentation to limit the impact of potential exploitation
Patch Information
The XStream project has addressed this vulnerability in version 1.4.16 and later. Organizations should consult the X-Stream Changes Version 1.4.16 page for detailed release notes. For Oracle products, refer to the Oracle January 2022 Security Alert for specific patch availability.
Additional vendor advisories include:
- GitHub Security Advisory GHSA-59jw-jqf4-3wq3
- NetApp Security Advisory NTAP-20210430-0002
- Debian Security Advisory DSA-5004
Workarounds
- Configure XStream with a custom security framework using a whitelist of explicitly allowed types as described in the X-Stream Security Workaround Information
- Restrict network access for applications using XStream to prevent external code loading
- Implement input validation to reject suspicious XML payloads before they reach XStream processing
- Consider alternative serialization libraries with stronger security defaults if XStream cannot be upgraded
// Recommended XStream Security Configuration
XStream xstream = new XStream();
// Clear all permissions first
xstream.addPermission(NoTypePermission.NONE);
// Only allow specific types your application needs
xstream.addPermission(NullPermission.NULL);
xstream.addPermission(PrimitiveTypePermission.PRIMITIVES);
xstream.allowTypes(new Class[] { YourSafeClass.class, AnotherSafeClass.class });
xstream.allowTypesByWildcard(new String[] { "com.yourcompany.safepackage.**" });
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
