CVE-2021-27850 – CVE-2021-27850 is a critical unauthenticated re... (How to Fix)

Q: What is the severity of CVE-2021-27850?

CVE-2021-27850 has a CVSS score of 9.8 (CRITICAL). CVE-2021-27850 is a critical unauthenticated remote code execution vulnerability in Apache Tapestry that allows attackers to bypass previous security fixes and download sensitive class files containing HMAC secret keys. This affects all recent versions of Apache Tapestry including 5.4.5, 5.5.0, 5.6.2 and 5.7.0. Attackers can use the stolen secret key to sign malicious Java gadget chains and achieve remote code execution.

📋 TL;DR

CVE-2021-27850 is a critical unauthenticated remote code execution vulnerability in Apache Tapestry that allows attackers to bypass previous security fixes and download sensitive class files containing HMAC secret keys. This affects all recent versions of Apache Tapestry including 5.4.5, 5.5.0, 5.6.2 and 5.7.0. Attackers can use the stolen secret key to sign malicious Java gadget chains and achieve remote code execution.

💻 Affected Systems

Products:

Apache Tapestry

Versions: 5.4.0 to 5.6.1, and 5.7.0

Operating Systems: All operating systems running Java

Default Config Vulnerable: ⚠️ Yes

Notes: All configurations using affected versions are vulnerable; the vulnerability bypasses previous security fixes for CVE-2019-0195.

📦 What is this software?

Tapestry by Apache

View all CVEs affecting Tapestry →

Tapestry by Apache

View all CVEs affecting Tapestry →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise via remote code execution, allowing attackers to execute arbitrary commands, install malware, steal data, and pivot to other systems.

🟠

Likely Case

Data exfiltration and server compromise through remote code execution, potentially leading to credential theft, data breaches, and backdoor installation.

🟢

If Mitigated

Limited impact with proper network segmentation and access controls, though sensitive information disclosure may still occur.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires knowledge of Java gadget chains (e.g., CommonsBeanUtils1 from ysoserial) but the vulnerability itself is simple to trigger.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.6.2 for versions 5.4.0-5.6.1; 5.7.1 for version 5.7.0

Vendor Advisory: https://lists.apache.org/thread.html/r237ff7f286bda31682c254550c1ebf92b0ec61329b32fbeb2d1c8751%40%3Cusers.tapestry.apache.org%3E

Restart Required: Yes

Instructions:

1. Identify current Apache Tapestry version. 2. If version is 5.4.0-5.6.1, upgrade to 5.6.2 or later. 3. If version is 5.7.0, upgrade to 5.7.1 or later. 4. Restart the application server.

🔧 Temporary Workarounds

Web Application Firewall Rule

all

Block requests containing .class/ patterns in URLs

Add WAF rule to block URLs containing ".class/" or patterns matching asset file exploitation

Network Access Control

all

Restrict access to Tapestry applications to trusted networks only

Configure firewall rules to limit access to Tapestry application ports

🧯 If You Can't Patch

Implement strict network segmentation to isolate vulnerable Tapestry applications from sensitive systems
Deploy web application firewall with rules to block exploitation patterns and monitor for attack attempts

🔍 How to Verify

Check if Vulnerable:

Check if application responds to crafted URL: http://[host]:[port]/assets/anything/services/AppModule.class/

Check Version:

Check application configuration files or deployment descriptors for Tapestry version

Verify Fix Applied:

After patching, verify the crafted URL no longer returns the AppModule.class file

📡 Detection & Monitoring

Log Indicators:

HTTP requests containing ".class/" in URL paths
Unusual file access patterns to class files from web requests
Multiple failed attempts to access protected resources

Network Indicators:

HTTP GET requests with .class/ patterns in asset paths
Unusual traffic to /assets/ endpoints with crafted parameters

SIEM Query:

source="web_server_logs" AND (url="*.class/*" OR url="*/services/*.class/*")

📊 Metadata

CVE ID: CVE-2021-27850

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-200

Published: April 15, 2021

Last Updated: November 21, 2024

🔗 References

http://www.openwall.com/lists/oss-security/2021/04/15/1 Exploit,Mailing List,Third Party Advisory
https://lists.apache.org/thread.html/r237ff7f286bda31682c254550c1ebf92b0ec61329b32fbeb2d1c8751%40%3Cusers.tapestry.apache.org%3E Mailing List,Vendor Advisory
https://security.netapp.com/advisory/ntap-20210528-0002/ Third Party Advisory
http://www.openwall.com/lists/oss-security/2021/04/15/1 Exploit,Mailing List,Third Party Advisory
https://lists.apache.org/thread.html/r237ff7f286bda31682c254550c1ebf92b0ec61329b32fbeb2d1c8751%40%3Cusers.tapestry.apache.org%3E Mailing List,Vendor Advisory
https://security.netapp.com/advisory/ntap-20210528-0002/ Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-27850, you might also want to check these: