XStream is an open source java library to serialize objects to XML and back again. Versions prior to 1.4.19 may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream. XStream 1.4.19 monitors and accumulates the time it takes to add elements to collections and throws an exception if a set threshold is exceeded. Users are advised to upgrade as soon as possible. Users unable to upgrade may set the NO_REFERENCE mode to prevent recursion. See GHSA-rmr5-cpv2-vgjf for further details on a workaround if an upgrade is not possible.
References
Link | Resource |
---|---|
http://www.openwall.com/lists/oss-security/2022/02/09/1 | Mailing List Third Party Advisory |
https://github.com/x-stream/xstream/commit/e8e88621ba1c85ac3b8620337dd672e0c0c3a846 | Patch Third Party Advisory |
https://github.com/x-stream/xstream/security/advisories/GHSA-rmr5-cpv2-vgjf | Exploit Third Party Advisory |
https://lists.debian.org/debian-lts-announce/2022/02/msg00018.html | Mailing List Third Party Advisory |
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VACQYG356OHUTD5WQGAQ4L2TTFTAV3SJ/ | |
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XODFRE2ZL64FICBJDOPWOLPTSSAI4U7X/ | |
https://www.oracle.com/security-alerts/cpuapr2022.html | Patch Third Party Advisory |
https://www.oracle.com/security-alerts/cpujul2022.html | Patch Third Party Advisory |
https://x-stream.github.io/CVE-2021-43859.html | Exploit Vendor Advisory |
Configurations
Configuration 1 (hide)
|
Configuration 2 (hide)
|
Configuration 3 (hide)
|
Configuration 4 (hide)
|
History
07 Nov 2023, 03:39
Type | Values Removed | Values Added |
---|---|---|
References |
|
|
30 Jul 2022, 02:42
Type | Values Removed | Values Added |
---|---|---|
References | (N/A) https://www.oracle.com/security-alerts/cpujul2022.html - Patch, Third Party Advisory | |
References | (MISC) https://www.oracle.com/security-alerts/cpuapr2022.html - Patch, Third Party Advisory | |
CPE | cpe:2.3:a:oracle:retail_xstore_point_of_service:20.0.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:flexcube_private_banking:12.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_xstore_point_of_service:18.0.3:*:*:*:*:*:*:* cpe:2.3:a:oracle:commerce_guided_search:11.3.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_cloud_native_core_automated_test_suite:1.9.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_brm_-_elastic_charging_engine:12.0.0.5.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_brm_-_elastic_charging_engine:*:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_xstore_point_of_service:16.0.6:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_xstore_point_of_service:19.0.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_diameter_intelligence_hub:*:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_xstore_point_of_service:17.0.4:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_policy_management:12.6.0.0.0:*:*:*:*:*:*:* |
|
First Time |
Oracle communications Diameter Intelligence Hub
Oracle communications Cloud Native Core Automated Test Suite Oracle flexcube Private Banking Oracle communications Policy Management Oracle retail Xstore Point Of Service Oracle commerce Guided Search Oracle communications Brm - Elastic Charging Engine Oracle |
25 Jul 2022, 18:17
Type | Values Removed | Values Added |
---|---|---|
References |
|
20 Apr 2022, 00:16
Type | Values Removed | Values Added |
---|---|---|
References |
|
04 Mar 2022, 16:38
Type | Values Removed | Values Added |
---|---|---|
References | (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VACQYG356OHUTD5WQGAQ4L2TTFTAV3SJ/ - Mailing List, Third Party Advisory | |
References | (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XODFRE2ZL64FICBJDOPWOLPTSSAI4U7X/ - Mailing List, Third Party Advisory | |
References | (MLIST) https://lists.debian.org/debian-lts-announce/2022/02/msg00018.html - Mailing List, Third Party Advisory | |
References | (MLIST) http://www.openwall.com/lists/oss-security/2022/02/09/1 - Mailing List, Third Party Advisory | |
CPE | cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:* cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:* cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:* |
|
First Time |
Debian
Debian debian Linux Fedoraproject fedora Fedoraproject |
16 Feb 2022, 00:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
12 Feb 2022, 03:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
09 Feb 2022, 16:15
Type | Values Removed | Values Added |
---|---|---|
CWE | CWE-400 | |
References |
|
04 Feb 2022, 16:48
Type | Values Removed | Values Added |
---|---|---|
References | (MISC) https://github.com/x-stream/xstream/commit/e8e88621ba1c85ac3b8620337dd672e0c0c3a846 - Patch, Third Party Advisory | |
References | (CONFIRM) https://github.com/x-stream/xstream/security/advisories/GHSA-rmr5-cpv2-vgjf - Exploit, Third Party Advisory | |
References | (MISC) https://x-stream.github.io/CVE-2021-43859.html - Exploit, Vendor Advisory | |
CWE | CWE-502 | |
First Time |
Xstream Project
Xstream Project xstream |
|
CVSS |
v2 : v3 : |
v2 : 5.0
v3 : 7.5 |
CPE | cpe:2.3:a:xstream_project:xstream:*:*:*:*:*:*:*:* |
01 Feb 2022, 13:15
Type | Values Removed | Values Added |
---|---|---|
Summary | XStream is an open source java library to serialize objects to XML and back again. Versions prior to 1.4.19 may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream. XStream 1.4.19 monitors and accumulates the time it takes to add elements to collections and throws an exception if a set threshold is exceeded. Users are advised to upgrade as soon as possible. Users unable to upgrade may set the NO_REFERENCE mode to prevent recursion. See GHSA-rmr5-cpv2-vgjf for further details on a workaround if an upgrade is not possible. |
01 Feb 2022, 12:55
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2022-02-01 12:15
Updated : 2023-12-10 14:09
NVD link : CVE-2021-43859
Mitre link : CVE-2021-43859
CVE.ORG link : CVE-2021-43859
JSON object : View
Products Affected
oracle
- flexcube_private_banking
- retail_xstore_point_of_service
- communications_policy_management
- communications_cloud_native_core_automated_test_suite
- communications_diameter_intelligence_hub
- communications_brm_-_elastic_charging_engine
- commerce_guided_search
xstream_project
- xstream
fedoraproject
- fedora
debian
- debian_linux
CWE
CWE-400
Uncontrolled Resource Consumption