CVE-2021-43859

HIGH
Published Feb 1, 20224y ago · Modified Jun 17, 20262w ago
7.5 CVSS 3.1
High
Find Similar
Published Feb 1, 2022 4y ago
Last Modified Jun 17, 2026 2w ago

Description

XStream is an open source java library to serialize objects to XML and back again. Versions prior to 1.4.19 may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream. XStream 1.4.19 monitors and accumulates the time it takes to add elements to collections and throws an exception if a set threshold is exceeded. Users are advised to upgrade as soon as possible. Users unable to upgrade may set the NO_REFERENCE mode to prevent recursion. See GHSA-rmr5-cpv2-vgjf for further details on a workaround if an upgrade is not possible.

CVSS Details

Base Score
7.5
Exploitability
3.9
Impact
3.6
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality None
Integrity None
Availability High

Threat Intelligence

No active exploitation signals — not in CISA KEV and no EPSS score yet.

Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 1

CWE-400 Uncontrolled Resource Consumption Resource Mgmt

Affected Products 19

VendorProductVersionRange
jenkinsjenkins* <2.319.3
jenkinsjenkins*≥2.321  –  <2.334
xstreamxstream* <1.4.19
fedoraprojectfedora34any
fedoraprojectfedora35any
debiandebian_linux9.0any
oraclecommerce_guided_search11.3.2any
oraclecommunications_brm_-_elastic_charging_engine* <12.0.0.4.6
oraclecommunications_brm_-_elastic_charging_engine12.0.0.5.0any
oraclecommunications_cloud_native_core_automated_test_suite1.9.0any
oraclecommunications_diameter_intelligence_hub*≥8.0.0  –  ≤8.1.0
oraclecommunications_diameter_intelligence_hub*≥8.2.0  –  ≤8.2.6
oraclecommunications_policy_management12.6.0.0.0any
oracleflexcube_private_banking12.1.0any
oracleretail_xstore_point_of_service16.0.6any
oracleretail_xstore_point_of_service17.0.4any
oracleretail_xstore_point_of_service18.0.3any
oracleretail_xstore_point_of_service19.0.2any
oracleretail_xstore_point_of_service20.0.1any

References 10

  • openwall.com http://www.openwall.com/lists/oss-security/2022/02/09/1
    Mailing ListThird Party Advisory
  • github.com https://github.com/x-stream/xstream/commit/e8e88621ba1c85ac3b8620337dd672e0c0c3a846
    PatchThird Party Advisory
  • github.com https://github.com/x-stream/xstream/security/advisories/GHSA-rmr5-cpv2-vgjf
    ExploitThird Party Advisory
  • lists.debian.org https://lists.debian.org/debian-lts-announce/2022/02/msg00018.html
    Mailing ListThird Party Advisory
  • lists.debian.org https://lists.debian.org/debian-lts-announce/2024/12/msg00023.html
  • lists.fedoraproject.org https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VACQYG356OHUTD5WQGAQ4L2TTFTAV3SJ/
    Mailing List
  • lists.fedoraproject.org https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XODFRE2ZL64FICBJDOPWOLPTSSAI4U7X/
    Mailing List
  • oracle.com https://www.oracle.com/security-alerts/cpuapr2022.html
    PatchThird Party Advisory
  • oracle.com https://www.oracle.com/security-alerts/cpujul2022.html
    PatchThird Party Advisory
  • x-stream.github.io https://x-stream.github.io/CVE-2021-43859.html
    ExploitVendor Advisory

Remediation

  • github.com https://github.com/x-stream/xstream/commit/e8e88621ba1c85ac3b8620337dd672e0c0c3a846
    PatchThird Party Advisory
  • oracle.com https://www.oracle.com/security-alerts/cpuapr2022.html
    PatchThird Party Advisory
  • oracle.com https://www.oracle.com/security-alerts/cpujul2022.html
    PatchThird Party Advisory