CVE-2021-21243 – This vulnerability in OneDev allows unauthentic... (How to Fix)

Q: What is the severity of CVE-2021-21243?

CVE-2021-21243 has a CVSS score of 10.0 (CRITICAL). This vulnerability in OneDev allows unauthenticated remote code execution via insecure deserialization in Kubernetes REST endpoints. Attackers can exploit this to execute arbitrary code on affected systems without any authentication. All OneDev instances before version 4.0.3 are vulnerable.

📋 TL;DR

This vulnerability in OneDev allows unauthenticated remote code execution via insecure deserialization in Kubernetes REST endpoints. Attackers can exploit this to execute arbitrary code on affected systems without any authentication. All OneDev instances before version 4.0.3 are vulnerable.

💻 Affected Systems

Products:

OneDev

Versions: All versions before 4.0.3

Operating Systems: All platforms running OneDev

Default Config Vulnerable: ⚠️ Yes

Notes: All default installations are vulnerable as the Kubernetes REST endpoints are exposed without authentication by default.

📦 What is this software?

Onedev by Onedev Project

View all CVEs affecting Onedev →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with attacker gaining full control over the OneDev server, potentially leading to data theft, lateral movement, and persistent backdoors.

🟠

Likely Case

Remote code execution allowing attackers to deploy malware, exfiltrate sensitive data, or disrupt DevOps operations.

🟢

If Mitigated

No impact if patched to version 4.0.3 or later, or if network access controls prevent access to vulnerable endpoints.

🌐 Internet-Facing: HIGH - The vulnerability requires no authentication and can be exploited remotely over the network.

🏢 Internal Only: HIGH - Even internally, the lack of authentication means any internal attacker or compromised system can exploit this.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability is straightforward to exploit due to the lack of authentication and the use of insecure deserialization.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.0.3

Vendor Advisory: https://github.com/theonedev/onedev/security/advisories/GHSA-9mmq-fm8c-q4fv

Restart Required: Yes

Instructions:

1. Backup your OneDev instance and data. 2. Stop the OneDev service. 3. Upgrade to version 4.0.3 or later using the official upgrade instructions. 4. Restart the OneDev service. 5. Verify the upgrade was successful.

🔧 Temporary Workarounds

Network Access Control

linux

Restrict network access to the OneDev instance using firewall rules to only allow trusted IP addresses.

iptables -A INPUT -p tcp --dport [onedev-port] -s [trusted-ip] -j ACCEPT
iptables -A INPUT -p tcp --dport [onedev-port] -j DROP

Reverse Proxy Authentication

all

Place OneDev behind a reverse proxy that enforces authentication before requests reach the vulnerable endpoints.

🧯 If You Can't Patch

Isolate the OneDev instance in a separate network segment with strict access controls.
Implement network monitoring and intrusion detection specifically for suspicious requests to Kubernetes REST endpoints.

🔍 How to Verify

Check if Vulnerable:

Check the OneDev version via the web interface or by examining the installation directory. If version is below 4.0.3, the system is vulnerable.

Check Version:

Check the web interface at /admin/about or examine the server logs for version information.

Verify Fix Applied:

After upgrading, verify the version is 4.0.3 or higher and test that the Kubernetes REST endpoints no longer accept deserialization requests.

📡 Detection & Monitoring

Log Indicators:

Unusual requests to Kubernetes REST endpoints
Deserialization errors in logs
Unexpected process execution from OneDev

Network Indicators:

POST requests to /~api/kubernetes/* endpoints with serialized data
Unusual outbound connections from OneDev server

SIEM Query:

source="onedev" AND (uri_path="/~api/kubernetes/*" OR message="*deserialization*")

📊 Metadata

CVE ID: CVE-2021-21243

CVSS v3 Score: 10.0 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N

CWE: CWE-74

Published: January 15, 2021

Last Updated: November 21, 2024

🔗 References

https://github.com/theonedev/onedev/commit/9637fc8fa461c5777282a0021c3deb1e7a48f137 Patch,Third Party Advisory
https://github.com/theonedev/onedev/security/advisories/GHSA-9mmq-fm8c-q4fv Third Party Advisory
https://github.com/theonedev/onedev/commit/9637fc8fa461c5777282a0021c3deb1e7a48f137 Patch,Third Party Advisory
https://github.com/theonedev/onedev/security/advisories/GHSA-9mmq-fm8c-q4fv Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-21243, you might also want to check these: