CVE-2021-43859
Denial of Service by injecting highly recursive collections or maps in XStream
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
2Exploited in Wild
-Decision
Descriptions
XStream is an open source java library to serialize objects to XML and back again. Versions prior to 1.4.19 may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream. XStream 1.4.19 monitors and accumulates the time it takes to add elements to collections and throws an exception if a set threshold is exceeded. Users are advised to upgrade as soon as possible. Users unable to upgrade may set the NO_REFERENCE mode to prevent recursion. See GHSA-rmr5-cpv2-vgjf for further details on a workaround if an upgrade is not possible.
XStream es una biblioteca java de código abierto para serializar objetos a XML y viceversa. Las versiones anteriores a 1.4.19, pueden permitir a un atacante remoto asignar el 100% del tiempo de la CPU en el sistema de destino, dependiendo del tipo de CPU o de la ejecución en paralelo de dicha carga útil, resultando en una denegación de servicio únicamente mediante la manipulación del flujo de entrada procesado. XStream versión 1.4.19 monitoriza y acumula el tiempo que tarda en añadir elementos a las colecciones y lanza una excepción si es superado un umbral establecido. Se recomienda a usuarios que actualicen lo antes posible. Los usuarios que no puedan actualizar pueden establecer el modo NO_REFERENCE para impedir una recursión. Ver GHSA-rmr5-cpv2-vgjf para más detalles sobre una medida de mitigación adicional si una actualización no es posible
CVSS Scores
SSVC
- Decision:-
Timeline
- 2021-11-16 CVE Reserved
- 2022-02-01 CVE Published
- 2024-08-04 CVE Updated
- 2024-08-04 First Exploit
- 2024-10-17 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-400: Uncontrolled Resource Consumption
- CWE-770: Allocation of Resources Without Limits or Throttling
CAPEC
References (11)
| URL | Tag | Source |
|---|---|---|
| http://www.openwall.com/lists/oss-security/2022/02/09/1 | Mailing List |
|
| https://lists.debian.org/debian-lts-announce/2022/02/msg00018.html | Mailing List |
|
| URL | Date | SRC |
|---|---|---|
| https://github.com/x-stream/xstream/security/advisories/GHSA-rmr5-cpv2-vgjf | 2024-08-04 | |
| https://x-stream.github.io/CVE-2021-43859.html | 2024-08-04 |
| URL | Date | SRC |
|---|---|---|
| https://github.com/x-stream/xstream/commit/e8e88621ba1c85ac3b8620337dd672e0c0c3a846 | 2023-11-07 | |
| https://www.oracle.com/security-alerts/cpuapr2022.html | 2023-11-07 | |
| https://www.oracle.com/security-alerts/cpujul2022.html | 2023-11-07 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Xstream Project Search vendor "Xstream Project" | Xstream Search vendor "Xstream Project" for product "Xstream" | < 1.4.19 Search vendor "Xstream Project" for product "Xstream" and version " < 1.4.19" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 34 Search vendor "Fedoraproject" for product "Fedora" and version "34" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 35 Search vendor "Fedoraproject" for product "Fedora" and version "35" | - |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 9.0 Search vendor "Debian" for product "Debian Linux" and version "9.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Commerce Guided Search Search vendor "Oracle" for product "Commerce Guided Search" | 11.3.2 Search vendor "Oracle" for product "Commerce Guided Search" and version "11.3.2" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Communications Brm - Elastic Charging Engine Search vendor "Oracle" for product "Communications Brm - Elastic Charging Engine" | < 12.0.0.4.6 Search vendor "Oracle" for product "Communications Brm - Elastic Charging Engine" and version " < 12.0.0.4.6" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Communications Brm - Elastic Charging Engine Search vendor "Oracle" for product "Communications Brm - Elastic Charging Engine" | 12.0.0.5.0 Search vendor "Oracle" for product "Communications Brm - Elastic Charging Engine" and version "12.0.0.5.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Communications Cloud Native Core Automated Test Suite Search vendor "Oracle" for product "Communications Cloud Native Core Automated Test Suite" | 1.9.0 Search vendor "Oracle" for product "Communications Cloud Native Core Automated Test Suite" and version "1.9.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Communications Diameter Intelligence Hub Search vendor "Oracle" for product "Communications Diameter Intelligence Hub" | >= 8.0.0 <= 8.1.0 Search vendor "Oracle" for product "Communications Diameter Intelligence Hub" and version " >= 8.0.0 <= 8.1.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Communications Diameter Intelligence Hub Search vendor "Oracle" for product "Communications Diameter Intelligence Hub" | >= 8.2.0 <= 8.2.6 Search vendor "Oracle" for product "Communications Diameter Intelligence Hub" and version " >= 8.2.0 <= 8.2.6" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Communications Policy Management Search vendor "Oracle" for product "Communications Policy Management" | 12.6.0.0.0 Search vendor "Oracle" for product "Communications Policy Management" and version "12.6.0.0.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Flexcube Private Banking Search vendor "Oracle" for product "Flexcube Private Banking" | 12.1.0 Search vendor "Oracle" for product "Flexcube Private Banking" and version "12.1.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Retail Xstore Point Of Service Search vendor "Oracle" for product "Retail Xstore Point Of Service" | 16.0.6 Search vendor "Oracle" for product "Retail Xstore Point Of Service" and version "16.0.6" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Retail Xstore Point Of Service Search vendor "Oracle" for product "Retail Xstore Point Of Service" | 17.0.4 Search vendor "Oracle" for product "Retail Xstore Point Of Service" and version "17.0.4" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Retail Xstore Point Of Service Search vendor "Oracle" for product "Retail Xstore Point Of Service" | 18.0.3 Search vendor "Oracle" for product "Retail Xstore Point Of Service" and version "18.0.3" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Retail Xstore Point Of Service Search vendor "Oracle" for product "Retail Xstore Point Of Service" | 19.0.2 Search vendor "Oracle" for product "Retail Xstore Point Of Service" and version "19.0.2" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Retail Xstore Point Of Service Search vendor "Oracle" for product "Retail Xstore Point Of Service" | 20.0.1 Search vendor "Oracle" for product "Retail Xstore Point Of Service" and version "20.0.1" | - |
Affected
| ||||||