CVE-2021-39140
Denial of Service vulnerability in xstream (Maven)
What is CVE-2021-39140 About?
This XStream vulnerability allows a remote attacker to cause a Denial of Service by manipulating the processed input stream, consuming 100% CPU time. The impact is high, making the service unavailable for legitimate users. Exploitation is possible by sending a specially crafted input stream.
Affected Software
Technical Details
The XStream library, when processing a manipulated input stream, can be forced by a remote attacker to allocate 100% CPU time on the target system. This resource exhaustion leads to a Denial of Service. The vulnerability arises from an inefficient or complex processing path triggered by a specific input payload within the deserialization routine. This allows an attacker to exploit the default blacklist-based security framework, which fails to prevent the processing of certain types or structures that lead to the CPU-intensive operation. The impact can vary depending on the CPU type and whether multiple such payloads are executed in parallel.
What is the Impact of CVE-2021-39140?
Successful exploitation may allow attackers to consume all available CPU resources, leading to a complete Denial of Service and making the application or service unresponsive.
What is the Exploitability of CVE-2021-39140?
Exploitation requires a remote attacker to craft and send a malicious input stream to an application using XStream for deserialization. The complexity is moderate, as it involves designing a payload that triggers the CPU exhaustion. Authentication is not a primary prerequisite for the attack, but rather depends on whether the XStream processing endpoint is publicly accessible. This is a remote attack. Privilege requirements are those of the application using XStream. The risk is significantly reduced if a strict whitelist-based security framework is implemented, limiting the types that XStream can process. The likelihood of exploitation increases if the application processes untrusted input with the vulnerable XStream version.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-39140?
Available Upgrade Options
- com.thoughtworks.xstream:xstream
- <1.4.18 → Upgrade to 1.4.18
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://lists.debian.org/debian-lts-announce/2021/09/msg00017.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/
- https://x-stream.github.io/CVE-2021-39140.html
- https://github.com/x-stream/xstream/security/advisories/GHSA-6wf9-jmg9-vxcc
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.debian.org/security/2021/dsa-5004
- https://github.com/x-stream/xstream
What are Similar Vulnerabilities to CVE-2021-39140?
Similar Vulnerabilities: CVE-2021-31684 , CVE-2022-22965 , CVE-2021-44228 , CVE-2023-34035 , CVE-2020-13936
