CVE-2021-21348
Denial of Service vulnerability in com.thoughtworks.xstream:xstream
What is CVE-2021-21348 About?
This is a Denial of Service vulnerability in XStream, where a remote attacker can exhaust CPU resources. The impact is a complete disruption of service, and it's relatively easy to exploit if the security framework is not properly configured with a whitelist.
Affected Software
Technical Details
The vulnerability allows a remote attacker to submit a maliciously crafted input stream to XStream. This input is designed to cause a specific thread to consume the maximum amount of CPU time indefinitely, without ever returning. This effectively locks up the processing thread, leading to a denial of service for any operations relying on that thread. The core issue lies in how XStream handles deserialization of certain types when the default blacklist of the Security Framework is used, rather than a recommended whitelist. An attacker can craft input that triggers an infinite loop or high-CPU computation during deserialization of an unexpected/unhandled type within the allowed default blacklist.
What is the Impact of CVE-2021-21348?
Successful exploitation may allow attackers to render the application unresponsive, cause a complete denial of service, and disrupt normal operations.
What is the Exploitability of CVE-2021-21348?
Exploitation is of medium complexity, primarily requiring the ability for a remote attacker to send crafted input to the XStream library. There are no authentication or specific privilege requirements, making it accessible to any remote attacker who can interact with the application. The system needs to be processing input via XStream with its default blacklist security framework. The likelihood of exploitation increases if the application heavily relies on XStream for processing untrusted remote input and has not implemented the recommended whitelist-based security configuration.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-21348?
Available Upgrade Options
- com.thoughtworks.xstream:xstream
- <1.4.16 → Upgrade to 1.4.16
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://lists.debian.org/debian-lts-announce/2021/04/msg00002.html
- https://x-stream.github.io/security.html#workaround
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://lists.apache.org/thread.html/r9ac71b047767205aa22e3a08cb33f3e0586de6b2fac48b425c6e16b0@%3Cdev.jmeter.apache.org%3E
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/
- https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd@%3Cusers.activemq.apache.org%3E
- https://x-stream.github.io/CVE-2021-21348.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/
- https://osv.dev/vulnerability/GHSA-56p8-3fh9-4cvq
- https://www.debian.org/security/2021/dsa-5004
What are Similar Vulnerabilities to CVE-2021-21348?
Similar Vulnerabilities: CVE-2013-7285 , CVE-2020-26259 , CVE-2020-26258 , CVE-2021-21347 , CVE-2021-21350
