CVE-2021-43859

XStream is an open source java library to serialize objects to XML and back again. Versions prior to 1.4.19 may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream. XStream 1.4.19 monitors and accumulates the time it takes to add elements to collections and throws an exception if a set threshold is exceeded. Users are advised to upgrade as soon as possible. Users unable to upgrade may set the NO_REFERENCE mode to prevent recursion. See GHSA-rmr5-cpv2-vgjf for further details on a workaround if an upgrade is not possible.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
GitHub_MCNA
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVEADP
---
---
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 81%
VendorProductVersion
jenkinsjenkins
𝑥
< 2.319.3
jenkinsjenkins
2.321 ≤
𝑥
< 2.334
xstreamxstream
𝑥
< 1.4.19
debiandebian_linux
9.0
oraclecommerce_guided_search
11.3.2
oraclecommunications_brm_-_elastic_charging_engine
𝑥
< 12.0.0.4.6
oraclecommunications_brm_-_elastic_charging_engine
12.0.0.5.0
oraclecommunications_cloud_native_core_automated_test_suite
1.9.0
oraclecommunications_diameter_intelligence_hub
8.0.0 ≤
𝑥
≤ 8.1.0
oraclecommunications_diameter_intelligence_hub
8.2.0 ≤
𝑥
≤ 8.2.6
oraclecommunications_policy_management
12.6.0.0.0
oracleflexcube_private_banking
12.1.0
oracleretail_xstore_point_of_service
16.0.6
oracleretail_xstore_point_of_service
17.0.4
oracleretail_xstore_point_of_service
18.0.3
oracleretail_xstore_point_of_service
19.0.2
oracleretail_xstore_point_of_service
20.0.1
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
libxstream-java
bullseye (security)
vulnerable
bullseye
no-dsa
buster
no-dsa
bookworm
1.4.20-1
fixed
sid
1.4.20-2
fixed
trixie
1.4.20-2
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
libxstream-java
noble
needs-triage
mantic
ignored
lunar
ignored
kinetic
ignored
jammy
needs-triage
impish
ignored
focal
needs-triage
bionic
needs-triage
xenial
needs-triage
trusty
needs-triage
Common Weakness Enumeration
References
http://www.openwall.com/lists/oss-security/2022/02/09/1
https://github.com/x-stream/xstream/commit/e8e88621ba1c85ac3b8620337dd672e0c0c3a846
https://github.com/x-stream/xstream/security/advisories/GHSA-rmr5-cpv2-vgjf
https://lists.debian.org/debian-lts-announce/2022/02/msg00018.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VACQYG356OHUTD5WQGAQ4L2TTFTAV3SJ/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XODFRE2ZL64FICBJDOPWOLPTSSAI4U7X/
https://www.oracle.com/security-alerts/cpuapr2022.html
https://www.oracle.com/security-alerts/cpujul2022.html
https://x-stream.github.io/CVE-2021-43859.html
http://www.openwall.com/lists/oss-security/2022/02/09/1
https://github.com/x-stream/xstream/commit/e8e88621ba1c85ac3b8620337dd672e0c0c3a846
https://github.com/x-stream/xstream/security/advisories/GHSA-rmr5-cpv2-vgjf
https://lists.debian.org/debian-lts-announce/2022/02/msg00018.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VACQYG356OHUTD5WQGAQ4L2TTFTAV3SJ/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XODFRE2ZL64FICBJDOPWOLPTSSAI4U7X/
https://www.oracle.com/security-alerts/cpuapr2022.html
https://www.oracle.com/security-alerts/cpujul2022.html
https://x-stream.github.io/CVE-2021-43859.html