Describe and fix CVE-2021-43859.

xstream-distribution/src/content/CVE-2021-43859.html

@@ -0,0 +1,199 @@
+<html>
+<!--
+ Copyright (C) 2021 XStream committers.
+ All rights reserved.
+ 
+ The software in this package is published under the terms of the BSD
+ style license a copy of which has been included with this distribution in
+ the LICENSE.txt file.
+ 
+ Created on 23. December 2021 by Joerg Schaible
+ -->
+ <head>
+ <title>CVE-2021-43859</title>
+ </head>
+ <body>
+
+ <h2 id="vulnerability">Vulnerability</h2>
+
+ <p>CVE-2021-43859: XStream can cause a Denial of Service by injecting highly recursive collections or maps.</p>
+
+ <h2 id="affected_versions">Affected Versions</h2>
+
+ <p>All versions until and including version 1.4.18 are affected.</p>
+
+ <h2 id="description">Description</h2>
+
+ <p>The processed stream at unmarshalling time contains type information to recreate the formerly written objects.
+ XStream creates therefore new instances based on these type information. An attacker can manipulate the processed
+ input stream and replace or inject objects, that result in exponential recursively hashcode calculation, causing a denial
+ of service.</p>
+
+ <h2 id="reproduction">Steps to Reproduce</h2>
+
+ <p>The attack uses the hashcode implementation of collection types in the Java runtime. Following types are affected with
+ lastest Java versions available in December 2021:</p>
+ <ul>
+ <li>java.util.HashMap</li>
+ <li>java.util.HashSet</li>
+ <li>java.util.Hashtable</li>
+ <li>java.util.LinkedHashMap</li>
+ <li>java.util.LinkedHashSet</li>
+ <li>java.util.Stack (older Java revisions only)</li>
+ <li>java.util.Vector (older Java revisions only)</li>
+ <li>Other third party collection implementations that use their element's hash code may also be affected</li> 
+ </ul>
+ <p>Create a simple HashSet and use XStream to marshal it to XML. Replace the XML with following snippet, increase the
+ depth of the structure and unmarshal it with XStream:</p>
+<div class="Source XML"><pre>&lt;set&gt;
+ &lt;set&gt;
+ &lt;string&gt;a&lt;/string&gt;
+ &lt;set&gt;
+ &lt;string&gt;a&lt;/string&gt;
+ &lt;set&gt;
+ &lt;string&gt;a&lt;/string&gt;
+ &lt;/set&gt;
+ &lt;set&gt;
+ &lt;string&gt;b&lt;/string&gt;
+ &lt;/set&gt;
+ &lt;/set&gt;
+ &lt;set&gt;
+ &lt;set reference=&quot;../../set/set&quot;/&gt;
+ &lt;string&gt;b&lt;/string&gt;
+ &lt;set reference=&quot;../../set/set[2]&quot;/&gt;
+ &lt;/set&gt;
+ &lt;/set&gt;
+ &lt;set&gt;
+ &lt;set reference=&quot;../../set/set&quot;/&gt;
+ &lt;string&gt;b&lt;/string&gt;
+ &lt;set reference=&quot;../../set/set[2]&quot;/&gt;
+ &lt;/set&gt;
+&lt;/set&gt;
+</pre></div>
+<div class="Source Java"><pre>XStream xstream = new XStream();
+xstream.fromXML(xml);
+</pre></div>
+ <p>Create a simple HashMap and use XStream to marshal it to XML. Replace the XML with following snippet, increase the
+ depth of the structure and unmarshal it with XStream:</p>
+<div class="Source XML"><pre>&lt;map&gt;
+ &lt;entry&gt;
+ &lt;map&gt;
+ &lt;entry&gt;
+ &lt;string&gt;a&lt;/string&gt;
+ &lt;string&gt;b&lt;/string&gt;
+ &lt;/entry&gt;
+ &lt;entry&gt;
+ &lt;map&gt;
+ &lt;entry&gt;
+ &lt;string&gt;a&lt;/string&gt;
+ &lt;string&gt;b&lt;/string&gt;
+ &lt;/entry&gt;
+ &lt;entry&gt;
+ &lt;map&gt;
+ &lt;entry&gt;
+ &lt;string&gt;a&lt;/string&gt;
+ &lt;string&gt;b&lt;/string&gt;
+ &lt;/entry&gt;
+ &lt;/map&gt;
+ &lt;map&gt;
+ &lt;entry&gt;
+ &lt;string&gt;c&lt;/string&gt;
+ &lt;string&gt;d&lt;/string&gt;
+ &lt;/entry&gt;
+ &lt;/map&gt;
+ &lt;/entry&gt;
+ &lt;entry&gt;
+ &lt;map reference=&quot;../../entry[2]/map[2]&quot;/&gt;
+ &lt;map reference=&quot;../../entry[2]/map&quot;/&gt;
+ &lt;/entry&gt;
+ &lt;/map&gt;
+ &lt;map&gt;
+ &lt;entry&gt;
+ &lt;string&gt;c&lt;/string&gt;
+ &lt;string&gt;d&lt;/string&gt;
+ &lt;/entry&gt;
+ &lt;entry&gt;
+ &lt;map reference=&quot;../../../entry[2]/map&quot;/&gt;
+ &lt;map reference=&quot;../../../entry[2]/map[2]&quot;/&gt;
+ &lt;/entry&gt;
+ &lt;entry&gt;
+ &lt;map reference=&quot;../../../entry[2]/map[2]&quot;/&gt;
+ &lt;map reference=&quot;../../../entry[2]/map&quot;/&gt;
+ &lt;/entry&gt;
+ &lt;/map&gt;
+ &lt;/entry&gt;
+ &lt;entry&gt;
+ &lt;map reference=&quot;../../entry[2]/map[2]&quot;/&gt;
+ &lt;map reference=&quot;../../entry[2]/map&quot;/&gt;
+ &lt;/entry&gt;
+ &lt;/map&gt;
+ &lt;map&gt;
+ &lt;entry&gt;
+ &lt;string&gt;c&lt;/string&gt;
+ &lt;string&gt;d&lt;/string&gt;
+ &lt;/entry&gt;
+ &lt;entry&gt;
+ &lt;map reference=&quot;../../../entry[2]/map&quot;/&gt;
+ &lt;map reference=&quot;../../../entry[2]/map[2]&quot;/&gt;
+ &lt;/entry&gt;
+ &lt;entry&gt;
+ &lt;map reference=&quot;../../../entry[2]/map[2]&quot;/&gt;
+ &lt;map reference=&quot;../../../entry[2]/map&quot;/&gt;
+ &lt;/entry&gt;
+ &lt;/map&gt;
+ &lt;/entry&gt;
+ &lt;entry&gt;
+ &lt;map reference=&quot;../../entry[2]/map[2]&quot;/&gt;
+ &lt;map reference=&quot;../../entry[2]/map&quot;/&gt;
+ &lt;/entry&gt;
+&lt;/map&gt;
+</pre></div>
+<div class="Source Java"><pre>XStream xstream = new XStream();
+xstream.fromXML(xml);
+</pre></div>
+
+ <p>As soon as the XML is unmarshalled, the hash codes of the elements are calculated and the calculation time increases
+ exponentially due to the highly recursive structure.</p>
+
+ <p>Note, this example uses XML, but the attack can be performed for any supported format, that supports references, i.e.
+ JSON is not affected.</p>
+
+ <h2 id="impact">Impact</h2>
+
+ <p>The vulnerability may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU
+ type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed
+ input stream.</p>
+
+ <h2 id="workarounds">Workarounds</h2>
+
+ <p>If your object graph does not use referenced elements at all, you may simply set the NO_REFERENCE mode:</p>
+
+<div class="Source Java"><pre>XStream xstream = new XStream();
+xstream.setMode(XStream.NO_REFERENCES);
+</pre></div>
+
+ <p>If your object graph contains neither a Hashtable, HashMap nor a HashSet (or one of the linked variants of it) then you
+ can use the security framework to deny the usage of these types:</p>
+
+<div class="Source Java"><pre>XStream xstream = new XStream();
+xstream.denyTypes(new Class[]{
+ java.util.HashMap.class, java.util.HashSet.class, java.util.Hashtable.class, java.util.LinkedHashMap.class, java.util.LinkedHashSet.class
+});
+</pre></div>
+
+ <p>Unfortunately these types are very common. If you only use HashMap or HashSet and your XML refers these only as default
+ map or set, you may additionally change the default implementation of java.util.Map and java.util.Set at unmarshalling time:</p>
+
+<div class="Source Java"><pre>xstream.addDefaultImplementation(java.util.TreeMap.class, java.util.Map.class);
+xstream.addDefaultImplementation(java.util.TreeSet.class, java.util.Set.class);
+</pre></div>
+
+ <p>However, this implies that your application does not care about the implementation of the map and all elements are comparable.</p>
+
+ <h2 id="credits">Credits</h2>
+
+ <p>r00t4dm at Cloud-Penetrating Arrow Lab found and reported the issue to XStream and provided the required information to
+ reproduce it.</p>
+
+ </body>
+ </html>

xstream-distribution/src/content/changes.html

@@ -39,6 +39,20 @@ <h1 id="upcoming-1.4.x">Upcoming 1.4.x maintenance release</h1>
 
  <p>Not yet released.</p>
 
+ <p class="highlight">This maintenance release addresses the security vulnerability
+ <a href="CVE-2021-43859.html">CVE-2021-43859</a>, when unmarshalling highly recursive collections or maps causing a
+ Denial of Service.</p>
+
+ <h2>API changes</h2>
+
+ <ul>
+ <li>Added c.t.x.XStream.COLLECTION_UPDATE_LIMIT and c.t.x.XStream.COLLECTION_UPDATE_SECONDS.</li>
+ <li>Added c.t.x.XStream.setCollectionUpdateLimit(int).</li>
+ <li>Added c.t.x.core.SecurityUtils.</li>
+ <li>Added c.t.x.security.AbstractSecurityException and c.t.x.security.InputManipulationException.</li>
+ <li>c.t.x.security.InputManipulationException derives now from c.t.x.security.AbstractSecurityException.</li>
+ </ul>
+
  <h1 id="1.4.18">1.4.18</h1>
 
  <p>Released August 22, 2021.</p>

xstream-distribution/src/content/security.html

@@ -30,13 +30,13 @@
  context of the server running the XStream process or cause a denial of service by crashing the application or
  manage to enter an endless loop consuming 100% of CPU cycles.</p>
 
- <p class=highlight>Note: XStream supports other data formats than XML, e.g. JSON. Those formats can be used for
- the same attacks.</p>
+ <p class=highlight>Note: XStream supports other data formats than XML, e.g. JSON. Those formats can usually be used
+ for the same attacks.</p>
 
- <p>Note, that the XML data can be manipulated on different levels. For example, manipulating values on existing
- objects (such as a price value), accessing private data, or breaking the format and causing the XML parser to fail.
- The latter case will raise an exception, but the former case must be handled by validity checks in any application
- which processes user-supplied XML.</p>
+ <p>The XML data can be manipulated on different levels. For example, manipulating values on existing objects (such
+ as a price value), accessing private data, or breaking the format and causing the XML parser to fail. The latter
+ case will raise an exception, but the former case must be handled by validity checks in any application which
+ processes user-supplied XML.</p>
 
  <h2 id="CVEs">Documented Vulnerabilities</h2>
 
@@ -49,6 +49,14 @@ <h2 id="CVEs">Documented Vulnerabilities</h2>
  <th>CVE</th>
  <th>Description</th>
  </tr>
+ <tr>
+ <th>Version 1.4.18</th>
+ <td></td>
+ </tr>
+ <tr>
+ <th><a href="CVE-2021-43859.html">CVE-2021-43859</a></th>
+ <td>XStream can cause a Denial of Service by injecting highly recursive collections or maps.</td>
+ </tr>
  <tr>
  <th>Version 1.4.17</th>
  <td></td>
@@ -258,6 +266,16 @@ <h2 id="implicit">Implicit Security</h2>
  because no-one can assure, that no other vulnerability is found. A better approach is the usage of a whitelist
  i.e. the allowed class types are setup explicitly. This is the default for XStream 1.4.18 (see below).</p>
 
+ <p>XStream supports references to objects already occuring on the object graph in an earlier location. This allows
+ an attacker to create a highly recursive object structure. Some collections or maps calculate the position of a
+ member based on the data of the member itself. This is true for sorting collections or maps, but also for
+ collections or maps based on the hash code of the individual members. The calculation time for the member's
+ position can increase exponentially depending on the recursive depth of the structure and cause therefore a Denial
+ of Service. Therefore XStream measures the time consumed to add an element to a collection or map since version
+ 1.4.19. Normally this operation is performed in a view milliseconds, but if adding elements take longer than a
+ second, then the time is accumulated and an exception is thrown if it exceeds a definable limit (20 seconds by
+ default).</p> 
+
  <h2 id="explicit">Explicit Security</h2>
 
  <p>Starting with XStream 1.4.7, it is possible to define <a href="#framework">permissions</a> for types, to check
@@ -285,6 +303,16 @@ <h2 id="explicit">Explicit Security</h2>
  <p class=highlight>Apart from value manipulations, this implementation still allows the injection of allowed
  objects at wrong locations, e.g. inserting an integer into a list of strings.</p>
 
+ <p>To avoid an attack based on the position of an element in a collection or map, you should also use XStream's
+ default converters for 3rd party or own implementations of collections or maps. Own custom converters of such
+ types should measure the time to add an element at deserialization time using the following sequence in the
+ implementation of the unmarshal method:<div class="Source Java">
+<pre>// unmarshal element of collection 
+long now = System.currentTimeMillis();
+// add element here, e.g. list.add(element);
+SecurityUtils.checkForCollectionDoSAttack(context, now);
+</pre></div></p> 
+
  <h2 id="validation">XML Validation</h2>
 
  <p>XML itself supports input validation using a schema and a validating parser. With XStream, you can use e.g. a

xstream-distribution/src/content/website.xml

@@ -89,6 +89,7 @@
  <page>CVE-2021-39152.html</page>
  <page>CVE-2021-39153.html</page>
  <page>CVE-2021-39154.html</page>
+ <page>CVE-2021-43859.html</page>
  <page>CVE-2020-26217.html</page>
  <page>CVE-2020-26258.html</page>
  <page>CVE-2020-26259.html</page>

xstream/src/java/com/thoughtworks/xstream/XStream.java

@@ -151,6 +151,7 @@
 import com.thoughtworks.xstream.mapper.XStream11XmlFriendlyMapper;
 import com.thoughtworks.xstream.security.AnyTypePermission;
 import com.thoughtworks.xstream.security.ArrayTypePermission;
+import com.thoughtworks.xstream.security.InputManipulationException;
 import com.thoughtworks.xstream.security.ExplicitTypePermission;
 import com.thoughtworks.xstream.security.InterfaceTypePermission;
 import com.thoughtworks.xstream.security.NoPermission;
@@ -295,6 +296,8 @@ public class XStream {
 
  // CAUTION: The sequence of the fields is intentional for an optimal XML output of a
  // self-serialization!
+ private int collectionUpdateLimit = 20;
+
  private ReflectionProvider reflectionProvider;
  private HierarchicalStreamDriver hierarchicalStreamDriver;
  private ClassLoaderReference classLoaderReference;
@@ -329,6 +332,9 @@ public class XStream {
  public static final int PRIORITY_LOW = -10;
  public static final int PRIORITY_VERY_LOW = -20;
 
+ public static final String COLLECTION_UPDATE_LIMIT = "XStreamCollectionUpdateLimit";
+ public static final String COLLECTION_UPDATE_SECONDS = "XStreamCollectionUpdateSeconds";
+
  private static final String ANNOTATION_MAPPER_TYPE = "com.thoughtworks.xstream.mapper.AnnotationMapper";
  private static final Pattern IGNORE_ALL = Pattern.compile(".*");
 
@@ -1182,6 +1188,23 @@ public void setMarshallingStrategy(MarshallingStrategy marshallingStrategy) {
  this.marshallingStrategy = marshallingStrategy;
  }
 
+ /**
+ * Set time limit for adding elements to collections or maps.
+ * 
+ * Manipulated content may be used to create recursive hash code calculations or sort operations. An
+ * {@link InputManipulationException} is thrown, it the summed up time to add elements to collections or maps
+ * exceeds the provided limit.
+ * 
+ * Note, that the time to add an individual element is calculated in seconds, not milliseconds. However, attacks
+ * typically use objects with exponential growing calculation times.
+ * 
+ * @param maxSeconds limit in seconds or 0 to disable check
+ * @since upcoming
+ */
+ public void setCollectionUpdateLimit(int maxSeconds) {
+ collectionUpdateLimit = maxSeconds;
+ }
+
  /**
  * Serialize an object to a pretty-printed XML String.
  *
@@ -1388,6 +1411,13 @@ public Object unmarshal(HierarchicalStreamReader reader, Object root) {
  */
  public Object unmarshal(HierarchicalStreamReader reader, Object root, DataHolder dataHolder) {
  try {
+ if (collectionUpdateLimit >= 0) {
+ if (dataHolder == null) {
+ dataHolder = new MapBackedDataHolder();
+ }
+ dataHolder.put(COLLECTION_UPDATE_LIMIT, new Integer(collectionUpdateLimit));
+ dataHolder.put(COLLECTION_UPDATE_SECONDS, new Integer(0));
+ }
  return marshallingStrategy.unmarshal(root, reader, dataHolder, converterLookup, mapper);
  } catch (ConversionException e) {
  Package pkg = getClass().getPackage();
@@ -2053,15 +2083,23 @@ public ObjectInputStream createObjectInputStream(final HierarchicalStreamReader
  * @see #createObjectInputStream(com.thoughtworks.xstream.io.HierarchicalStreamReader)
  * @since 1.4.10
  */
- public ObjectInputStream createObjectInputStream(final HierarchicalStreamReader reader, final DataHolder dataHolder)
+ public ObjectInputStream createObjectInputStream(final HierarchicalStreamReader reader, DataHolder dataHolder)
  throws IOException {
+ if (collectionUpdateLimit >= 0) {
+ if (dataHolder == null) {
+ dataHolder = new MapBackedDataHolder();
+ }
+ dataHolder.put(COLLECTION_UPDATE_LIMIT, new Integer(collectionUpdateLimit));
+ dataHolder.put(COLLECTION_UPDATE_SECONDS, new Integer(0));
+ }
+ final DataHolder dh = dataHolder;
  return new CustomObjectInputStream(new CustomObjectInputStream.StreamCallback() {
  public Object readFromStream() throws EOFException {
  if (!reader.hasMoreChildren()) {
  throw new EOFException();
  }
  reader.moveDown();
- final Object result = unmarshal(reader, null, dataHolder);
+ final Object result = unmarshal(reader, null, dh);
  reader.moveUp();
  return result;
  }