Issues » XStream vulnerable to arbitrary execution of code

Issue: SI-57
Date: May 19, 2021, 5:00:00 AM
Severity: Critical
Requires Admin Access: Yes
Fix Version: 21.05, 5.3.8.5
Credit: TheGrandPew
Description:

An issue was discovered in dotCMS 3.0 through 5.3.8.4 and 20.10 through 21.04. When PUTting or POSTing content via /api/content in the XML format, the processed XML stream, at unmarshalling time, contains type information to recreate the formerly written objects. XStream therefore creates new instances based on this type information. An attacker can manipulate the processed input stream, and replace or inject objects that result in execution of arbitrary code, loaded from a remote server. dotCMS is vulnerable to these attacks because of the use of XStream to unmarshall the XML object.

Mitigation:

It is possible to mitigate this attack in a number of ways.

  1. Install this OSGI based hotfix, which prevents all access to the affected endpoint. See below for the link. 
  2. To disallow anonymous access to the endpoint in the dotCMS 5.x series that use the config CONTENT_APIS_ALLOW_ANONYMOUS, set:

    CONTENT_APIS_ALLOW_ANONYMOUS=NONE

    Doing this will not completely prevent the issue, but it will prevent the issue from being exploitable anonymously.

  3. In your Web Application Firewall, disallow PUT and POST methods to /api/content that also are of contentType=application/xml

References

CVE:
https://nvd.nist.gov/vuln/detail/CVE-2021-32916

HOTFIX:
A hotfix for this issue is available as an osgi plugin here:
https://github.com/dotCMS/patches-hotfixes/tree/master/com.dotcms.xml.requestblocker