CVE-2021-43859

CVE	CVE-2021-43859
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2022-02-01 12:15:00 UTC
Updated	2023-11-07 03:39:00 UTC
Description	XStream is an open source java library to serialize objects to XML and back again. Versions prior to 1.4.19 may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream. XStream 1.4.19 monitors and accumulates the time it takes to add elements to collections and throws an exception if a set threshold is exceeded. Users are advised to upgrade as soon as possible. Users unable to upgrade may set the NO_REFERENCE mode to prevent recursion. See GHSA-rmr5-cpv2-vgjf for further details on a workaround if an upgrade is not possible.

Problem Types: CWE-400

Type	Vendor	Product	Version	Update	Edition	Language
Operating System	Debian	Debian Linux	9.0	All	All	All
Operating System	Fedoraproject	Fedora	34	All	All	All
Operating System	Fedoraproject	Fedora	35	All	All	All
Application	Oracle	Commerce Guided Search	11.3.2	All	All	All
Application	Oracle	Communications Brm - Elastic Charging Engine	All	All	All	All
Application	Oracle	Communications Brm - Elastic Charging Engine	12.0.0.5.0	All	All	All
Application	Oracle	Communications Cloud Native Core Automated Test Suite	1.9.0	All	All	All
Application	Oracle	Communications Diameter Intelligence Hub	All	All	All	All
Application	Oracle	Communications Diameter Intelligence Hub	All	All	All	All
Application	Oracle	Communications Policy Management	12.6.0.0.0	All	All	All
Application	Oracle	Flexcube Private Banking	12.1.0	All	All	All
Application	Oracle	Retail Xstore Point Of Service	16.0.6	All	All	All
Application	Oracle	Retail Xstore Point Of Service	17.0.4	All	All	All
Application	Oracle	Retail Xstore Point Of Service	18.0.3	All	All	All
Application	Oracle	Retail Xstore Point Of Service	19.0.2	All	All	All
Application	Oracle	Retail Xstore Point Of Service	20.0.1	All	All	All
Application	Xstream Project	Xstream	All	All	All	All

Reference	Source	Link	Tags
[SECURITY] Fedora 35 Update: xstream-1.4.19-1.fc35 - package-announce - Fedora Mailing-Lists		lists.fedoraproject.org
Oracle Critical Patch Update Advisory - April 2022	MISC	www.oracle.com
[SECURITY] [DLA 2924-1] libxstream-java security update	MLIST	lists.debian.org
XStream can cause a Denial of Service by injecting highly recursive collections or maps · Advisory · x-stream/xstream · GitHub	CONFIRM	github.com
Describe and fix CVE-2021-43859. · x-stream/xstream@e8e8862 · GitHub	MISC	github.com
[SECURITY] Fedora 34 Update: xstream-1.4.19-1.fc34 - package-announce - Fedora Mailing-Lists		lists.fedoraproject.org
[SECURITY] Fedora 34 Update: xstream-1.4.19-1.fc34 - package-announce - Fedora Mailing-Lists	FEDORA	lists.fedoraproject.org
[SECURITY] Fedora 35 Update: xstream-1.4.19-1.fc35 - package-announce - Fedora Mailing-Lists	FEDORA	lists.fedoraproject.org
XStream - CVE-2021-43859	MISC	x-stream.github.io
oss-security - Vulnerability in Jenkins	MLIST	www.openwall.com
Oracle Critical Patch Update Advisory - July 2022	N/A	www.oracle.com
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

179078 Debian Security Update for libxstream-java (DLA 2924-1)
183891 Debian Security Update for libxstream-java (CVE-2021-43859)
240241 Red Hat OpenShift Container Platform 5 Security Update (RHSA-2022:1420)
282371 Fedora Security Update for xstream (FEDORA-2022-ad5cf1c0dd)
282372 Fedora Security Update for xstream (FEDORA-2022-983a78275c)
690790 Free Berkeley Software Distribution (FreeBSD) Security Update for jenkins (0b0ad196-1ee8-4a98-89b1-4d5d82af49a9)
730360 Jenkins Denial of Service (DoS) Vulnerability (Jenkins Security Advisory 2022-02-09)
751873 OpenSUSE Security Update for xstream (openSUSE-SU-2022:0817-1)
753439 SUSE Enterprise Linux Security Update for xstream (SUSE-SU-2022:0817-1)