CVE-2021-43859
Denial of Service vulnerability in com.thoughtworks.xstream:xstream
What is CVE-2021-43859 About?
This vulnerability allows a remote attacker to cause a denial of service by manipulating the processed input stream, leading to 100% CPU utilization. The impact is significant, disrupting availability of the affected system. Exploitation is relatively easy by crafting a specific input that triggers exponential calculation time in collection hash codes.
Affected Software
Technical Details
The vulnerability involves a 'hash collision' or 'hash DoS' attack variant against XStream's deserialization of certain collection types. An attacker crafts a malicious input stream (XML/JSON) that, when deserialized, creates collections (e.g., `HashMap`, `HashSet`) with elements designed to cause a large number of hash collisions. The default hash code implementation for these collections, when faced with such an input, leads to an exponential increase in CPU time required for operations like adding elements. This disproportionate computational cost, triggered by a specially constructed input like highly recursive structures within the collection, can consume 100% of the CPU resources, resulting in a denial of service for the target system.
What is the Impact of CVE-2021-43859?
Successful exploitation may allow attackers to cause a denial of service (DoS) by consuming all available CPU resources, leading to service unavailability.
What is the Exploitability of CVE-2021-43859?
Exploitation of this vulnerability is of low to moderate complexity, requiring knowledge of hash collision attacks and how to craft inputs that exploit the hashing algorithms of Java collections. No authentication is necessary if the vulnerable XStream endpoint accepts untrusted input. No specific privileges are needed on the target system for the attack. This is a remote vulnerability, as an attacker can send a crafted input stream over the network. Prerequisites include the application using XStream to deserialize untrusted data that may contain specific Java collection types susceptible to hash DoS (e.g., HashMap, HashSet). The risk increases if the application does not monitor deserialization time or limit the size/complexity of deserialized objects.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-43859?
Available Upgrade Options
- com.thoughtworks.xstream:xstream
- <1.4.19 → Upgrade to 1.4.19
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- http://www.openwall.com/lists/oss-security/2022/02/09/1
- https://x-stream.github.io/CVE-2021-43859.html
- https://lists.debian.org/debian-lts-announce/2022/02/msg00018.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://nvd.nist.gov/vuln/detail/CVE-2021-43859
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XODFRE2ZL64FICBJDOPWOLPTSSAI4U7X/
- https://github.com/x-stream/xstream/security/advisories/GHSA-rmr5-cpv2-vgjf
- https://github.com/x-stream/xstream/commit/e8e88621ba1c85ac3b8620337dd672e0c0c3a846
- https://x-stream.github.io/CVE-2021-43859.html
What are Similar Vulnerabilities to CVE-2021-43859?
Similar Vulnerabilities: CVE-2009-0217 , CVE-2011-4858 , CVE-2012-1188 , CVE-2012-2122 , CVE-2013-1763
