Login Sign Up

CVE-2021-29485

9.9 CRITICAL
Remote Code Execution Deserialization

📋 TL;DR

This vulnerability allows remote code execution via Java deserialization attacks against Ratpack's session store. Attackers can execute arbitrary code on vulnerable systems by crafting malicious gadget chains. Only applications using Ratpack's session mechanism are affected.

💻 Affected Systems

Products:
  • Ratpack
Versions: All versions prior to 1.9.0
Operating Systems: All platforms running Java
Default Config Vulnerable: ⚠️ Yes
Notes: Only vulnerable if using Ratpack's session mechanism. Applications not using sessions are not affected.

📦 What is this software?

Ratpack by Ratpack Project

View all CVEs affecting Ratpack →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with attacker gaining full control over the server, potentially leading to data theft, lateral movement, or ransomware deployment.

🟠

Likely Case

Remote code execution leading to application compromise, data exfiltration, and potential pivot to other systems.

🟢

If Mitigated

No impact if session mechanism is not used or proper allow-list controls are implemented.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploitation requires knowledge of Java deserialization gadget chains and access to session store.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.9.0

Vendor Advisory: https://github.com/ratpack/ratpack/security/advisories/GHSA-hc33-32vw-rpp9

Restart Required: Yes

Instructions:

1. Update Ratpack dependency to version 1.9.0 or later. 2. Update pom.xml or build.gradle to use ratpack-core:1.9.0+. 3. Restart the application.

🔧 Temporary Workarounds

Implement custom SessionSerializer with allow-list

all

Manually backport the allow-list mechanism by creating a custom SessionSerializer implementation that restricts deserialization.

Restrict session store write access

all

Implement access controls to reduce likelihood of attackers writing to session data store.

🧯 If You Can't Patch

  • Disable Ratpack session mechanism entirely if not required
  • Implement network segmentation and strict firewall rules to limit access to vulnerable applications

🔍 How to Verify

Check if Vulnerable:

Check if application uses Ratpack sessions and version is below 1.9.0. Review pom.xml or build.gradle for ratpack-core dependency version.

Check Version:

grep -i ratpack pom.xml || grep -i ratpack build.gradle || check application startup logs

Verify Fix Applied:

Confirm ratpack-core version is 1.9.0 or higher in dependency files and verify application restarted successfully.

📡 Detection & Monitoring

Log Indicators:

  • Java deserialization errors
  • Unexpected session data modifications
  • Stack traces containing deserialization-related classes

Network Indicators:

  • Unusual session data payloads
  • Large or malformed session cookies

SIEM Query:

source="application.logs" AND ("deserialization" OR "SessionSerializer" OR "InvalidClassException")

📊 Metadata

CVE ID: CVE-2021-29485
CVSS v3 Score: 9.9 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CWE: CWE-502
Published: June 29, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-29485, you might also want to check these:

CVE-2023-46604 10.0

CVE-2023-46604 is a critical remote code execution vulnerability in Apache ActiveMQ's Java OpenWire ...

Same vulnerability type (CWE-502)
CVE-2023-49772 10.0

This vulnerability allows unauthenticated attackers to execute arbitrary PHP code through deserializ...

Same vulnerability type (CWE-502)
CVE-2024-25100 10.0

This vulnerability allows unauthenticated attackers to inject malicious PHP objects via deserializat...

Same vulnerability type (CWE-502)