CVE-2021-21348

About vulnerability

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to occupy a thread that consumes maximum CPU time and will never return. No user is affected, who followed the recommendation to setup XStream’s security framework with a whitelist limited to the minimal required types. If you rely on XStream’s default blacklist of the Security Framework, you will have to use at least version 1.4.16.

Affected product:

AlmaLinux 9.2 ESU , Alpine Linux 3.22 , Alpine Linux 3.23 , Apache ActiveMQ , Apache CXF , Apache Struts , CentOS 6 ELS , CentOS 8.4 ELS , CentOS 8.5 ELS , CentOS Stream 8 ELS , CloudLinux 6 ELS , Debian 12 , Debian 13 , EL 7 , Oracle Linux 6 ELS , Spring , Ubuntu 16.04 ELS , Ubuntu 18.04 ELS , activemq , artemis , camel , chronicle-engine , chronicle-map , cocoon , groovy , kahadb , mxparser , optaplanner , xstream

Affected packages:

struts2-apps @ 2.5.33 (+2853 more)

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to occupy a thread that consumes maximum CPU time and will never return. No user is affected, who followed the recommendation to setup XStream’s security framework with a whitelist limited to the minimal required types. If you rely on XStream’s default blacklist of the Security Framework, you will have to use at least version 1.4.16.