Vulnerability Description
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is vulnerability which may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream. No user is affected who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Netapp | Oncommand Insight | - |
| Apache | Activemq | < 5.15.14 |
| Apache | Jmeter | < 5.5 |
| Xstream | Xstream | < 1.4.16 |
| Debian | Debian Linux | 9.0 |
| Fedoraproject | Fedora | 33 |
| Oracle | Banking Enterprise Default Management | 2.10.0 |
| Oracle | Banking Platform | 2.4.0 |
| Oracle | Business Activity Monitoring | 11.1.1.9.0 |
| Oracle | Communications Billing And Revenue Management Elastic Charging Engine | 12.0.0.3.0 |
| Oracle | Communications Unified Inventory Management | 7.3.2 |
| Oracle | Retail Xstore Point Of Service | 16.0.6 |
| Oracle | Webcenter Portal | 11.1.1.9.0 |
Related Weaknesses (CWE)
References
- http://x-stream.github.io/changes.html#1.4.16Release NotesThird Party Advisory
- https://github.com/x-stream/xstream/security/advisories/GHSA-2p3x-qw9c-25hhThird Party Advisory
- https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90aeIssue TrackingMailing ListThird Party Advisory
- https://lists.apache.org/thread.html/r9ac71b047767205aa22e3a08cb33f3e0586de6b2faIssue TrackingMailing ListThird Party Advisory
- https://lists.debian.org/debian-lts-announce/2021/04/msg00002.htmlMailing ListThird Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproMailing ListThird Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproMailing ListThird Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproMailing ListThird Party Advisory
- https://security.netapp.com/advisory/ntap-20210430-0002/Third Party Advisory
- https://www.debian.org/security/2021/dsa-5004Mailing ListThird Party Advisory
- https://www.oracle.com//security-alerts/cpujul2021.htmlThird Party Advisory
- https://www.oracle.com/security-alerts/cpujan2022.htmlPatchVendor Advisory
- https://www.oracle.com/security-alerts/cpuoct2021.htmlThird Party Advisory
- https://x-stream.github.io/CVE-2021-21341.htmlExploitThird Party Advisory
- https://x-stream.github.io/security.html#workaroundMitigationThird Party Advisory
FAQ
What is CVE-2021-21341?
CVE-2021-21341 is a vulnerability with a CVSS score of 7.5 (HIGH). XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is vulnerability which may allow a remote attacker to allocate 100% CPU time on the target...
How severe is CVE-2021-21341?
CVE-2021-21341 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-21341?
Check the references section above for vendor advisories and patch information. Affected products include: Netapp Oncommand Insight, Apache Activemq, Apache Jmeter, Xstream Xstream, Debian Debian Linux.