CVE-2021-3160 – CVE-2021-3160 is an unauthenticated remote code... (How to Fix)

Q: What is the severity of CVE-2021-3160?

CVE-2021-3160 has a CVSS score of 9.8 (CRITICAL). CVE-2021-3160 is an unauthenticated remote code execution vulnerability in ASSUWEB 359.3 build 1, a subcomponent of ACA ASSUREX RENTES insurance contract management software. Attackers can exploit insecure Java deserialization in the login page via crafted HTTP requests to execute arbitrary code on the server. Organizations using affected versions of ACA ASSUREX RENTES are at risk.

📋 TL;DR

CVE-2021-3160 is an unauthenticated remote code execution vulnerability in ASSUWEB 359.3 build 1, a subcomponent of ACA ASSUREX RENTES insurance contract management software. Attackers can exploit insecure Java deserialization in the login page via crafted HTTP requests to execute arbitrary code on the server. Organizations using affected versions of ACA ASSUREX RENTES are at risk.

💻 Affected Systems

Products:

ACA ASSUREX RENTES

Versions: ASSUWEB 359.3 build 1

Operating Systems: Any OS running Java

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerable component is part of the ASSUREX RENTES product suite used for insurance contract management.

📦 What is this software?

Assuweb by Aca

View all CVEs affecting Assuweb →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attackers to install malware, steal sensitive data, pivot to internal networks, and maintain persistent access.

🟠

Likely Case

Unauthenticated attackers gain remote code execution, potentially leading to data theft, ransomware deployment, or system takeover.

🟢

If Mitigated

With proper network segmentation and monitoring, impact may be limited to the affected application server, though code execution still occurs.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending specially crafted HTTP requests to the login page. Public advisories contain technical details.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Contact vendor for patched version

Vendor Advisory: https://www.aca.fr/solution/assurex-solution-gestion-des-contrats-assurance/

Restart Required: Yes

Instructions:

1. Contact ACA for patched version. 2. Apply patch to affected ASSUWEB component. 3. Restart application services. 4. Verify fix implementation.

🔧 Temporary Workarounds

Network Segmentation

all

Restrict access to ASSUWEB login page to trusted IP addresses only

Use firewall rules to limit access to ASSUWEB port (typically 8080/8443) to authorized networks

Web Application Firewall

all

Deploy WAF with rules to block Java deserialization attacks

Configure WAF to inspect HTTP requests for Java serialized object patterns and block malicious payloads

🧯 If You Can't Patch

Isolate affected systems in separate network segments with strict access controls
Implement application-level monitoring for suspicious login page activity and Java deserialization attempts

🔍 How to Verify

Check if Vulnerable:

Check ASSUWEB version in application interface or configuration files. Version 359.3 build 1 is vulnerable.

Check Version:

Check application.properties or web interface for ASSUWEB version information

Verify Fix Applied:

Verify with vendor that patched version is installed and test that crafted serialized objects no longer execute.

📡 Detection & Monitoring

Log Indicators:

Unusual Java deserialization errors in application logs
Multiple failed login attempts with unusual payloads
Unexpected process execution from web server

Network Indicators:

HTTP POST requests to login page containing serialized Java objects
Unusual outbound connections from application server

SIEM Query:

source="*assuweb*" AND (message="*deserialization*" OR message="*ObjectInputStream*" OR status=500 AND uri="/login")

📊 Metadata

CVE ID: CVE-2021-3160

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-502

Published: January 28, 2021

Last Updated: November 21, 2024

🔗 References

https://www.aca.fr/solution/assurex-solution-gestion-des-contrats-assurance/ Vendor Advisory
https://www.digital.security/fr/sites/default/files/advisories/cert-ds_advisory_cve-2021-3160.txt Third Party Advisory
https://www.aca.fr/solution/assurex-solution-gestion-des-contrats-assurance/ Vendor Advisory
https://www.digital.security/fr/sites/default/files/advisories/cert-ds_advisory_cve-2021-3160.txt Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-3160, you might also want to check these: