CVE-2021-37533 Overview
CVE-2021-37533 is an input validation vulnerability in Apache Commons Net versions prior to 3.9.0. The FTP client component trusts the host address provided in PASV (passive mode) responses by default, allowing a malicious FTP server to redirect connections to arbitrary hosts. While exploitation requires the victim to initially connect to a malicious server, successful attacks can lead to information leakage about services running on the client's private network.
Critical Impact
A malicious FTP server can redirect Apache Commons Net FTP client connections to internal network hosts, potentially exposing sensitive information about private network services and infrastructure.
Affected Products
- Apache Commons Net versions prior to 3.9.0
- Debian Linux 10.0
- Debian Linux 11.0
Discovery Timeline
- 2022-12-03 - CVE CVE-2021-37533 published to NVD
- 2025-04-24 - Last updated in NVD database
Technical Details for CVE-2021-37533
Vulnerability Analysis
This vulnerability stems from improper input validation (CWE-20) in the Apache Commons Net FTP client's handling of PASV mode responses. When an FTP client operates in passive mode, it requests the server provide a host and port for data connections. Prior to version 3.9.0, the Commons Net FTP client blindly trusted the host address returned in PASV responses, which could differ from the original server address.
An attacker operating a malicious FTP server can exploit this trust relationship to redirect the client's data connections to arbitrary hosts on the victim's network. This Server-Side Request Forgery (SSRF) attack pattern enables network reconnaissance and information disclosure about internal services that would otherwise be inaccessible from external networks.
Root Cause
The root cause is improper input validation in the FTP client's PASV response parsing logic. The client failed to validate that the host address returned in PASV responses matched the original server address, defaulting to trusting any host provided by the server. This behavior deviated from security best practices followed by other FTP clients like cURL, which ignore untrusted host redirections by default.
Attack Vector
The attack vector is network-based and requires user interaction. The attack flow involves:
- An attacker operates a malicious FTP server accessible to the victim
- The victim's application using Apache Commons Net connects to the malicious server
- When the client requests passive mode (PASV), the server responds with an internal IP address belonging to the victim's private network
- The Commons Net client attempts to connect to the attacker-specified internal host for data transfer
- The connection attempt reveals information about internal services (port status, banners, etc.)
This attack enables network scanning and service enumeration of hosts behind the victim's firewall, potentially exposing sensitive infrastructure details. The fix in version 3.9.0 changes the default behavior to ignore untrusted hosts in PASV responses, matching the secure behavior of cURL. For technical details, see the Apache JIRA issue NET-711.
Detection Methods for CVE-2021-37533
Indicators of Compromise
- FTP client connections initiating unexpected connections to internal network addresses
- Network traffic showing data connections to hosts different from the original FTP server
- Anomalous FTP passive mode data transfers targeting internal IP ranges
- Connection attempts from FTP-enabled applications to non-standard internal services
Detection Strategies
- Monitor for FTP data connections that do not match the control connection destination
- Implement network segmentation alerts for FTP clients connecting to restricted internal subnets
- Review application dependencies for vulnerable Apache Commons Net versions (prior to 3.9.0)
- Deploy IDS/IPS rules to detect PASV responses containing private IP address ranges
Monitoring Recommendations
- Enable detailed logging for FTP client operations in applications using Apache Commons Net
- Monitor egress traffic from systems running vulnerable library versions
- Implement Software Composition Analysis (SCA) to identify vulnerable dependencies
- Track connection patterns from FTP-enabled applications for anomalous internal targeting
How to Mitigate CVE-2021-37533
Immediate Actions Required
- Upgrade Apache Commons Net to version 3.9.0 or later immediately
- Review all applications using Apache Commons Net for FTP functionality
- If immediate upgrade is not possible, configure the FTP client to ignore PASV host redirection
- Audit network traffic from systems using vulnerable library versions for signs of exploitation
Patch Information
Apache has addressed this vulnerability in Commons Net version 3.9.0. The fix changes the default behavior to ignore untrusted hosts in PASV responses, aligning with the security approach used by cURL. Organizations should update their Maven or Gradle dependencies to use version 3.9.0 or later. For Debian systems, security updates are available through DSA-5307 and through the Debian LTS announcement. Additional details are available in the Apache Mailing List Thread.
Workarounds
- Configure the FTPClient to explicitly set setRemoteVerificationEnabled(true) if upgrading is not immediately possible
- Implement network-level controls to prevent FTP data connections to internal networks
- Use application-level firewalls to restrict FTP client outbound connections
- Consider replacing FTP with more secure file transfer protocols such as SFTP or SCP
# Maven dependency update example
# Update pom.xml to use patched version
# Change: <version>3.8.0</version>
# To: <version>3.9.0</version>
# Verify installed version in Maven projects
mvn dependency:tree -Dincludes=commons-net:commons-net
# For Gradle projects, update build.gradle
# implementation 'commons-net:commons-net:3.9.0'
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
