CVE-2021-21341

Published: Mar 23, 2021Modified: May 23, 2025

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is vulnerability which may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream. No user is affected who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.

Affected (34)

Products: Netapp: Oncommand Insight · Apache: Activemq, Jmeter · Xstream: Xstream · +3 more

Show all products

Netapp: Oncommand Insight · Apache: Activemq, Jmeter · Xstream: Xstream · Debian: Debian Linux · Fedoraproject: Fedora · Oracle: Banking Enterprise Default Management, Banking Platform, Business Activity Monitoring, Communications Billing And Revenue Management Elastic Charging Engine, Communications Unified Inventory Management, Retail Xstore Point Of Service, Webcenter Portal

1 product

2 products

1 product

1 product

1 product

7 products

Banking Enterprise Default Management

Banking Platform

Business Activity Monitoring

Communications Billing And Revenue Management Elastic Charging Engine

Communications Unified Inventory Management

Retail Xstore Point Of Service

Webcenter Portal

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Netapp Oncommand Insight	All versions

Configuration B

4 vulnerable

Vulnerable Software	Affected Versions
Apache Activemq	Before 5.15.14
Apache Activemq	Version 5.16.0
Apache Activemq	Version 5.16.1
Apache Jmeter	Before 5.5

Configuration C

1 vulnerable

Vulnerable Software	Affected Versions
Xstream Xstream	Before 1.4.16

Configuration D

3 vulnerable

Vulnerable Software	Affected Versions
Debian Debian Linux	Version 10.0
Debian Debian Linux	Version 11.0
Debian Debian Linux	Version 9.0

Configuration E

3 vulnerable

Vulnerable Software	Affected Versions
Fedoraproject Fedora	Version 33
Fedoraproject Fedora	Version 34
Fedoraproject Fedora	Version 35

Configuration F

22 vulnerable

Vulnerable Software	Affected Versions
Oracle Banking Enterprise Default Management	Version 2.10.0
Oracle Banking Enterprise Default Management	Version 2.12.0
Oracle Banking Platform	Version 2.12.0
Oracle Banking Platform	Version 2.4.0
Oracle Banking Platform	Version 2.7.1
Oracle Banking Platform	Version 2.9.0
Oracle Business Activity Monitoring	Version 11.1.1.9.0
Oracle Business Activity Monitoring	Version 12.2.1.3.0
Oracle Business Activity Monitoring	Version 12.2.1.4.0
Oracle Communications Billing And Revenue Management Elastic Charging Engine	Version 12.0.0.3.0
Oracle Communications Unified Inventory Management	Version 7.3.2
Oracle Communications Unified Inventory Management	Version 7.3.4
Oracle Communications Unified Inventory Management	Version 7.3.5
Oracle Communications Unified Inventory Management	Version 7.4.0
Oracle Communications Unified Inventory Management	Version 7.4.1
Oracle Retail Xstore Point Of Service	Version 16.0.6
Oracle Retail Xstore Point Of Service	Version 17.0.4
Oracle Retail Xstore Point Of Service	Version 18.0.3
Oracle Retail Xstore Point Of Service	Version 19.0.2
Oracle Webcenter Portal	Version 11.1.1.9.0
Oracle Webcenter Portal	Version 12.2.1.3.0
Oracle Webcenter Portal	Version 12.2.1.4.0

Related CWEs

CWE-400

Uncontrolled Resource Consumption

The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

CWE-502

Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.