CVE-2021-33806 – CVE-2021-33806 is a remote code execution vulne... (How to Fix)

Q: What is the severity of CVE-2021-33806?

CVE-2021-33806 has a CVSS score of 9.8 (CRITICAL). CVE-2021-33806 is a remote code execution vulnerability in the BDew BdLib library for Minecraft, caused by insecure deserialization of untrusted data. Attackers can exploit this to execute arbitrary code on servers running vulnerable versions. This affects Minecraft servers and clients using the vulnerable BdLib library.

📋 TL;DR

CVE-2021-33806 is a remote code execution vulnerability in the BDew BdLib library for Minecraft, caused by insecure deserialization of untrusted data. Attackers can exploit this to execute arbitrary code on servers running vulnerable versions. This affects Minecraft servers and clients using the vulnerable BdLib library.

💻 Affected Systems

Products:

BDew BdLib library for Minecraft

Versions: All versions before 1.16.1.7

Operating Systems: All operating systems running Java

Default Config Vulnerable: ⚠️ Yes

Notes: Affects Minecraft servers and clients using the vulnerable BdLib library. The vulnerability is in the library itself, not Minecraft core.

📦 What is this software?

Bdlib by Bdew

View all CVEs affecting Bdlib →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server compromise allowing attacker to execute arbitrary commands, install malware, steal data, or take control of the Minecraft server host system.

🟠

Likely Case

Remote code execution leading to server disruption, data theft, or installation of backdoors on vulnerable Minecraft servers.

🟢

If Mitigated

Limited impact with proper network segmentation and restricted server access, though exploitation could still disrupt Minecraft services.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending malicious serialized data to the vulnerable application. The vulnerability is in a widely used library pattern (insecure deserialization) with known exploitation techniques.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.16.1.7 and later

Vendor Advisory: https://bdew.net

Restart Required: Yes

Instructions:

1. Download BdLib version 1.16.1.7 or later from official sources. 2. Replace the vulnerable BdLib JAR file in your Minecraft mods directory. 3. Restart the Minecraft server or client.

🔧 Temporary Workarounds

Remove BdLib Mod

all

Temporarily remove the BdLib mod from your Minecraft installation if immediate patching isn't possible.

rm /path/to/minecraft/mods/bdlib-*.jar

Network Isolation

all

Restrict network access to Minecraft servers to trusted networks only.

🧯 If You Can't Patch

Isolate Minecraft servers on separate network segments with strict firewall rules
Implement application whitelisting to prevent execution of unauthorized binaries

🔍 How to Verify

Check if Vulnerable:

Check the BdLib JAR file version in your Minecraft mods directory. Versions before 1.16.1.7 are vulnerable.

Check Version:

java -jar bdlib-*.jar --version or check the JAR filename

Verify Fix Applied:

Verify that BdLib version 1.16.1.7 or later is installed and the server/client starts without errors.

📡 Detection & Monitoring

Log Indicators:

Java deserialization errors
Unexpected process execution from Minecraft Java process
Stack traces containing ObjectInputStream or serialization-related errors

Network Indicators:

Unusual network traffic to/from Minecraft server port (default 25565)
Suspicious Java serialized data in network packets

SIEM Query:

process_name:"java.exe" AND (process_command_line:"bdlib" OR process_command_line:"minecraft") AND event_type:"process_creation"

📊 Metadata

CVE ID: CVE-2021-33806

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-502

Published: June 3, 2021

Last Updated: November 21, 2024

🔗 References

https://bdew.net Release Notes,Vendor Advisory
https://github.com/bdew-minecraft/bdlib/commit/447210530ceec72fb3374efecb0930ed359d2297 Patch,Third Party Advisory
https://vuln.ryotak.me/advisories/46 Third Party Advisory
https://www.curseforge.com/minecraft/mc-mods/bdlib/files/3331330 Product,Third Party Advisory
https://bdew.net Release Notes,Vendor Advisory
https://github.com/bdew-minecraft/bdlib/commit/447210530ceec72fb3374efecb0930ed359d2297 Patch,Third Party Advisory
https://vuln.ryotak.me/advisories/46 Third Party Advisory
https://www.curseforge.com/minecraft/mc-mods/bdlib/files/3331330 Product,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-33806, you might also want to check these: