CVE-2021-33806

Vulnerability

BdLib, a library mod for Minecraft, uses Java serialization via ObjectInputStream.readObject() to deserialize packet data sent over the Minecraft network pipeline. Versions prior to 1.16.1.7 do not validate the incoming data before deserialization, making them susceptible to arbitrary code execution [2]. The vulnerability is classified as CWE-502: Deserialization of Untrusted Data [2].

Exploitation

An attacker who controls either a Minecraft server or a client can craft malicious serialized Java objects and send them as part of the BdLib network protocol. The victim's game client or server will deserialize the untrusted data without any validation, triggering the exploit [2]. No additional authentication or user interaction is required beyond connecting to a malicious server or accepting a connection from a malicious client.

Impact

Successful exploitation allows the attacker to execute arbitrary code on the victim's system with the privileges of the Minecraft process. This can lead to full compromise of the affected system, including data theft, installation of malware, or further lateral movement within a network [2].

Mitigation

The vulnerability is fixed in BdLib version 1.16.1.7 [2]. The fix involved reworking the custom network code to eliminate the use of Java serialization, as shown in the commit 4472105 [1]. Users should update to 1.16.1.7 or later immediately. No workaround is available for earlier versions.