PT-2021-14435 · Xstream+5 · Xstream+5

Published

2021-03-16

Updated

2024-08-22

CVE-2021-21341

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions XStream versions prior to 1.4.16

Description The issue allows a remote attacker to allocate 100% CPU time on the target system, depending on CPU type or parallel execution of a payload, resulting in a denial of service by manipulating the processed input stream. Users who set up XStream's security framework with a whitelist limited to the minimal required types are not affected.

Recommendations To resolve the issue, use at least version 1.4.16 if you rely on XStream's default blacklist of the Security Framework. As a temporary workaround, consider setting up XStream's security framework with a whitelist limited to the minimal required types until a patch is applied.

Exploit

Fix

DoS

Deserialization of Untrusted Data

Infinite Loop

Resource Exhaustion

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-502CWE-835CWE-400

Related Identifiers

ALT-PU-2022-7660

BIT-ACTIVEMQ-2021-21341

CVE-2021-21341

DLA-2616-1

DSA-5004-1

GHSA-2P3X-QW9C-25HH

MGASA-2021-0370

OESA-2021-1185

OPENSUSE-SU-2021:0832-1

OPENSUSE-SU-2021:1840-1

OPENSUSE-SU-2021_0832-1

OPENSUSE-SU-2021_1840-1

OPENSUSE-SU-2024:10592-1

SUSE-SU-2021:1840-1

SUSE-SU-2021:1840-2

SUSE-SU-2021_1840-1

USN-4943-1

USN-6978-1

Affected Products

Alt Linux

Astra Linux

Linuxmint

Suse

Ubuntu

Xstream

PT-2021-14435 · Xstream+5 · Xstream+5

CVE-2021-21341

Weakness Enumeration

Related Identifiers

Affected Products

References · 118