CVE-2021-21348
HIGHCVSS 7.5/10EPSS 14.20%
Last modified
CVE-2021-21348 is a high-severity vulnerability rated 7.5/10 on the CVSS scale. XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to occupy a thread that consumes maximum CPU time and will never return. EPSS estimates a 14.20% chance of exploitation in the next 30 days.
Description
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to occupy a thread that consumes maximum CPU time and will never return. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Netapp | Oncommand Insight | All versions |
| Apache | Activemq | < 5.15.14 |
| Apache | Activemq | 5.16.0 |
| Apache | Activemq | 5.16.1 |
| Apache | Jmeter | < 5.5 |
| Xstream | Xstream | < 1.4.16 |
| Debian | Debian Linux | 9.0 |
| Debian | Debian Linux | 10.0 |
| Debian | Debian Linux | 11.0 |
| Fedoraproject | Fedora | 33 |
| Fedoraproject | Fedora | 34 |
| Fedoraproject | Fedora | 35 |
| Oracle | Banking Enterprise Default Management | 2.10.0 |
| Oracle | Banking Enterprise Default Management | 2.12.0 |
| Oracle | Banking Platform | 2.4.0 |
| Oracle | Banking Platform | 2.7.1 |
| Oracle | Banking Platform | 2.9.0 |
| Oracle | Banking Platform | 2.12.0 |
| Oracle | Banking Virtual Account Management | 14.2.0 |
| Oracle | Banking Virtual Account Management | 14.3.0 |
| Oracle | Banking Virtual Account Management | 14.5.0 |
| Oracle | Business Activity Monitoring | 11.1.1.9.0 |
| Oracle | Business Activity Monitoring | 12.2.1.3.0 |
| Oracle | Business Activity Monitoring | 12.2.1.4.0 |
| Oracle | Communications Billing And Revenue Management Elastic Charging Engine | 12.0.0.3.0 |
| Oracle | Communications Policy Management | 12.5.0 |
| Oracle | Communications Unified Inventory Management | 7.3.2 |
| Oracle | Communications Unified Inventory Management | 7.3.4 |
| Oracle | Communications Unified Inventory Management | 7.3.5 |
| Oracle | Communications Unified Inventory Management | 7.4.0 |
| Oracle | Communications Unified Inventory Management | 7.4.1 |
| Oracle | Mysql Server | <= 8.0.27 |
| Oracle | Retail Xstore Point Of Service | 16.0.6 |
| Oracle | Retail Xstore Point Of Service | 17.0.4 |
| Oracle | Retail Xstore Point Of Service | 18.0.3 |
| Oracle | Retail Xstore Point Of Service | 19.0.2 |
| Oracle | Webcenter Portal | 11.1.1.9.0 |
| Oracle | Webcenter Portal | 12.2.1.3.0 |
| Oracle | Webcenter Portal | 12.2.1.4.0 |
References
- http://x-stream.github.io/changes.html#1.4.16Release Notes, Third Party Advisory
- https://github.com/x-stream/xstream/security/advisories/GHSA-56p8-3fh9-4cvqThird Party Advisory
- https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd%40%3Cusers.activemq.apache.org%3EIssue Tracking, Mailing List, Third Party Advisory
- https://lists.apache.org/thread.html/r9ac71b047767205aa22e3a08cb33f3e0586de6b2fac48b425c6e16b0%40%3Cdev.jmeter.apache.org%3EIssue Tracking, Mailing List, Third Party Advisory
- https://lists.debian.org/debian-lts-announce/2021/04/msg00002.htmlMailing List, Third Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/Mailing List, Third Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/Mailing List, Third Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/Mailing List, Third Party Advisory
- https://security.netapp.com/advisory/ntap-20210430-0002/Third Party Advisory
- https://www.debian.org/security/2021/dsa-5004Mailing List, Third Party Advisory
- https://www.oracle.com//security-alerts/cpujul2021.htmlThird Party Advisory
- https://www.oracle.com/security-alerts/cpujan2022.htmlPatch, Vendor Advisory
- https://www.oracle.com/security-alerts/cpuoct2021.htmlThird Party Advisory
- https://x-stream.github.io/CVE-2021-21348.htmlThird Party Advisory
- https://x-stream.github.io/security.html#workaroundMitigation, Third Party Advisory
- http://x-stream.github.io/changes.html#1.4.16Release Notes, Third Party Advisory
- https://github.com/x-stream/xstream/security/advisories/GHSA-56p8-3fh9-4cvqThird Party Advisory
- https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd%40%3Cusers.activemq.apache.org%3EIssue Tracking, Mailing List, Third Party Advisory
- https://lists.apache.org/thread.html/r9ac71b047767205aa22e3a08cb33f3e0586de6b2fac48b425c6e16b0%40%3Cdev.jmeter.apache.org%3EIssue Tracking, Mailing List, Third Party Advisory
- https://lists.debian.org/debian-lts-announce/2021/04/msg00002.htmlMailing List, Third Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/Mailing List, Third Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/Mailing List, Third Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/Mailing List, Third Party Advisory
- https://security.netapp.com/advisory/ntap-20210430-0002/Third Party Advisory
- https://www.debian.org/security/2021/dsa-5004Mailing List, Third Party Advisory
- https://www.oracle.com//security-alerts/cpujul2021.htmlThird Party Advisory
- https://www.oracle.com/security-alerts/cpujan2022.htmlPatch, Vendor Advisory
- https://www.oracle.com/security-alerts/cpuoct2021.htmlThird Party Advisory
- https://x-stream.github.io/CVE-2021-21348.htmlThird Party Advisory
- https://x-stream.github.io/security.html#workaroundMitigation, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2021-21348?
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to occupy a thread that consumes maximum CPU time and will never return. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.
How severe is CVE-2021-21348?
CVE-2021-21348 has a CVSS score of 7.5/10 (HIGH severity). The EPSS model estimates a 14.20% probability of exploitation in the next 30 days.
How do I fix CVE-2021-21348?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.
Are you affected by CVE-2021-21348?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST