CVE-2021-21341
Denial of Service vulnerability in com.thoughtworks.xstream:xstream
What is CVE-2021-21341 About?
This vulnerability in XStream allows a remote attacker to trigger a denial of service by manipulating the processed input stream. Exploitation can lead to 100% CPU utilization, effectively disabling the target system. Users who implement XStream's security framework with a strict whitelist are not affected, but those relying on the default blacklist are susceptible to this relatively easy-to-trigger attack.
Affected Software
Technical Details
The vulnerability allowing denial of service in XStream arises from the insecure deserialization of specifically crafted input streams. An attacker can construct an input containing a highly nested or self-referential object graph, or objects that, upon deserialization, trigger computationally intensive operations. When XStream attempts to process such a malicious stream, it can consume excessive CPU resources, leading to prolonged processing times or an infinite loop, effectively monopolizing CPU time (100% utilization) on the target system. This resource exhaustion results in a denial of service, preventing legitimate users from accessing the application.
What is the Impact of CVE-2021-21341?
Successful exploitation may allow attackers to allocate 100% CPU time, leading to a denial of service for legitimate users.
What is the Exploitability of CVE-2021-21341?
Exploitation requires sending a specially crafted input stream to an application using a vulnerable XStream instance. The complexity is moderate, as it involves creating a malicious serialized object designed to exhaust system resources. No authentication is typically required if the vulnerable endpoint accepts unauthenticated input. The attack is remote, relying on network transmission of the malicious payload. The likelihood of exploitation increases if the application processes untrusted data without input validation and does not implement a protective whitelist for deserialized types, allowing for arbitrary object creation that can lead to resource exhaustion.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| s-index | Link | XStream DoS CVE-2021-21341 |
| Mani1325 | Link | PoC for CVE-2021-21341 |
What are the Available Fixes for CVE-2021-21341?
Available Upgrade Options
- com.thoughtworks.xstream:xstream
- <1.4.16 → Upgrade to 1.4.16
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://lists.debian.org/debian-lts-announce/2021/04/msg00002.html
- https://x-stream.github.io/security.html#workaround
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://lists.apache.org/thread.html/r9ac71b047767205aa22e3a08cb33f3e0586de6b2fac48b425c6e16b0@%3Cdev.jmeter.apache.org%3E
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/
- https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd@%3Cusers.activemq.apache.org%3E
- https://x-stream.github.io/CVE-2021-21341.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/
- https://www.debian.org/security/2021/dsa-5004
- https://security.netapp.com/advisory/ntap-20210430-0002/
What are Similar Vulnerabilities to CVE-2021-21341?
Similar Vulnerabilities: CVE-2021-39145 , CVE-2020-26217 , CVE-2020-13936 , CVE-2019-10086 , CVE-2018-11759
