CVE-2021-37632 – This vulnerability in SuperMartijn642's Config ... (How to Fix)

Q: What is the severity of CVE-2021-37632?

CVE-2021-37632 has a CVSS score of 8.1 (HIGH). This vulnerability in SuperMartijn642's Config Lib allows attackers to send malicious packets that exploit Java's ObjectInputStream deserialization, potentially leading to remote code execution. Both Minecraft servers and clients using affected versions are vulnerable to this attack. The vulnerability exists because packet data isn't validated before deserialization, allowing instantiation of arbitrary classes.

📋 TL;DR

This vulnerability in SuperMartijn642's Config Lib allows attackers to send malicious packets that exploit Java's ObjectInputStream deserialization, potentially leading to remote code execution. Both Minecraft servers and clients using affected versions are vulnerable to this attack. The vulnerability exists because packet data isn't validated before deserialization, allowing instantiation of arbitrary classes.

💻 Affected Systems

Products:

SuperMartijn642's Config Lib
Minecraft mods using this library

Versions: 1.0.4 through 1.0.8

Operating Systems: All platforms running Java

Default Config Vulnerable: ⚠️ Yes

Notes: Affects both Minecraft servers and clients. Any mod using the vulnerable library versions is affected.

📦 What is this software?

Config Lib by Config Lib Project

View all CVEs affecting Config Lib →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or server takeover

🟠

Likely Case

Server/client crashes, denial of service, or limited code execution depending on available classes

🟢

If Mitigated

No impact if patched or proper network controls prevent malicious packet delivery

🌐 Internet-Facing: HIGH - Minecraft servers are typically internet-facing and accept connections from untrusted clients

🏢 Internal Only: MEDIUM - Internal clients could still exploit vulnerable servers, but attack surface is reduced

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires knowledge of Java deserialization attacks and available classes, but no authentication is needed. The advisory suggests weaponization is likely given the impact.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.0.9 and higher

Vendor Advisory: https://github.com/SuperMartijn642/SuperMartijn642sConfigLib/security/advisories/GHSA-f4r5-w453-2jx6

Restart Required: Yes

Instructions:

1. Update SuperMartijn642's Config Lib to version 1.0.9 or higher. 2. Update any Minecraft mods using this library. 3. Restart Minecraft server/client to apply changes.

🔧 Temporary Workarounds

Network segmentation

all

Isolate Minecraft servers from untrusted networks and restrict client connections

Firewall rules

all

Block unnecessary inbound/outbound traffic to Minecraft servers

🧯 If You Can't Patch

Disable or remove mods using vulnerable Config Lib versions
Implement strict network controls and monitor for suspicious packet traffic

🔍 How to Verify

Check if Vulnerable:

Check mod configuration files or mod lists for SuperMartijn642's Config Lib version 1.0.4-1.0.8

Check Version:

Check mods folder for configlib version file or examine Minecraft mod list output

Verify Fix Applied:

Confirm SuperMartijn642's Config Lib version is 1.0.9 or higher in mod configuration

📡 Detection & Monitoring

Log Indicators:

Java deserialization errors
Unexpected class instantiation errors
Minecraft server/client crashes

Network Indicators:

Unusual packet patterns to Minecraft ports
Malformed network traffic on Minecraft server ports

SIEM Query:

source="minecraft.log" AND ("deserialization" OR "ObjectInputStream" OR "readObject")

📊 Metadata

CVE ID: CVE-2021-37632

CVSS v3 Score: 8.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-502

Published: August 5, 2021

Last Updated: November 21, 2024

🔗 References

https://github.com/SuperMartijn642/SuperMartijn642sConfigLib/security/advisories/GHSA-f4r5-w453-2jx6 Third Party Advisory
https://github.com/SuperMartijn642/SuperMartijn642sConfigLib/security/advisories/GHSA-f4r5-w453-2jx6 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-37632, you might also want to check these: