PT-2021-4766 · Xstream+5 · Xstream+5

Published

2021-03-12

·

Updated

2024-08-22

·

CVE-2021-21348

CVSS v2.0

7.8

High

VectorAV:N/AC:L/Au:N/C:N/I:N/A:C
Name of the Vulnerable Software and Affected Versions XStream versions prior to 1.4.16
Description The issue concerns a Java library used for serializing objects to XML and back. It may allow a remote attacker to occupy a thread, causing it to consume maximum CPU time and never return. Users who set up XStream's security framework with a limited whitelist are not affected. The vulnerability can be exploited to cause a denial of service by consuming maximum CPU time.
Recommendations To resolve the issue, use at least version 1.4.16 if you rely on XStream's default blacklist of the Security Framework. As a temporary workaround, consider setting up XStream's security framework with a whitelist limited to the minimal required types until a patch is applied.

Fix

Deserialization of Untrusted Data

Resource Exhaustion

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-502CWE-400

Related Identifiers

ALT-PU-2022-1100
ALT-PU-2022-2171
ALT-PU-2022-7660
ALT-PU-2023-1912
BDU:2021-05485
BIT-ACTIVEMQ-2021-21348
CVE-2021-21348
DLA-2616-1
DSA-5004-1
GHSA-56P8-3FH9-4CVQ
MGASA-2021-0370
OESA-2021-1185
OPENSUSE-SU-2021:0832-1
OPENSUSE-SU-2021:1840-1
OPENSUSE-SU-2021_0832-1
OPENSUSE-SU-2021_1840-1
OPENSUSE-SU-2024:10592-1
SUSE-SU-2021:1840-1
SUSE-SU-2021:1840-2
USN-4943-1
USN-6978-1

Affected Products

Alt Linux
Astra Linux
Linuxmint
Suse
Ubuntu
Xstream