CVE-2021-21341

Exploit

EPSS 23.43%
Published 23.03.2021 00:15:12
Last modified 23.05.2025 17:38:30
Source security-advisories@github.com
Teams watchlist Login
Open Login

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is vulnerability which may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream. No user is affected who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.

Affected products Warnungen 0 Metrics 4 CWE 2 References 18

Data is provided by the National Vulnerability Database (NVD)

Netapp ≫ Oncommand Insight Version-

Apache ≫ Activemq Version < 5.15.14

Apache ≫ Activemq Version5.16.0

Apache ≫ Activemq Version5.16.1

Apache ≫ Jmeter Version < 5.5

Xstream ≫ Xstream Version < 1.4.16

Debian ≫ Debian Linux Version9.0

Debian ≫ Debian Linux Version10.0

Debian ≫ Debian Linux Version11.0

Fedoraproject ≫ Fedora Version33

Fedoraproject ≫ Fedora Version34

Fedoraproject ≫ Fedora Version35

Oracle ≫ Banking Enterprise Default Management Version2.10.0

Oracle ≫ Banking Enterprise Default Management Version2.12.0

Oracle ≫ Banking Platform Version2.4.0

Oracle ≫ Banking Platform Version2.7.1

Oracle ≫ Banking Platform Version2.9.0

Oracle ≫ Banking Platform Version2.12.0

Oracle ≫ Business Activity Monitoring Version11.1.1.9.0

Oracle ≫ Business Activity Monitoring Version12.2.1.3.0

Oracle ≫ Business Activity Monitoring Version12.2.1.4.0

Oracle ≫ Communications Billing And Revenue Management Elastic Charging Engine Version12.0.0.3.0

Oracle ≫ Communications Unified Inventory Management Version7.3.2

Oracle ≫ Communications Unified Inventory Management Version7.3.4

Oracle ≫ Communications Unified Inventory Management Version7.3.5

Oracle ≫ Communications Unified Inventory Management Version7.4.0

Oracle ≫ Communications Unified Inventory Management Version7.4.1

Oracle ≫ Retail Xstore Point Of Service Version16.0.6

Oracle ≫ Retail Xstore Point Of Service Version17.0.4

Oracle ≫ Retail Xstore Point Of Service Version18.0.3

Oracle ≫ Retail Xstore Point Of Service Version19.0.2

Oracle ≫ Webcenter Portal Version11.1.1.9.0

Oracle ≫ Webcenter Portal Version12.2.1.3.0

Oracle ≫ Webcenter Portal Version12.2.1.4.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	23.43%	0.958

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvd@nist.gov	7.1	8.6	6.9	AV:N/AC:M/Au:N/C:N/I:N/A:C
security-advisories@github.com	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-400 Uncontrolled Resource Consumption

The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

CWE-502 Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

https://www.oracle.com/security-alerts/cpujan2022.html

Patch

Vendor Advisory

https://www.oracle.com//security-alerts/cpujul2021.html

Third Party Advisory

https://www.oracle.com/security-alerts/cpuoct2021.html

Third Party Advisory

https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd%40%3Cusers.activemq.apache.org%3E

Third Party Advisory

Mailing List