Vulnerability Name:

CVE-2021-43859 (CCN-219177)

Assigned:2021-11-16
Published:2022-01-30
Updated:2022-08-09
Summary:XStream is an open source java library to serialize objects to XML and back again. Versions prior to 1.4.19 may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream. XStream 1.4.19 monitors and accumulates the time it takes to add elements to collections and throws an exception if a set threshold is exceeded. Users are advised to upgrade as soon as possible. Users unable to upgrade may set the NO_REFERENCE mode to prevent recursion. See GHSA-rmr5-cpv2-vgjf for further details on a workaround if an upgrade is not possible.
CVSS v3 Severity:7.5 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
6.5 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): High
7.5 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
6.5 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): High
CVSS v2 Severity:5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Partial
7.8 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Complete
Vulnerability Type:CWE-400
Vulnerability Consequences:Denial of Service
References:Source: MITRE
Type: CNA
CVE-2021-43859

Source: MLIST
Type: Mailing List, Third Party Advisory
[oss-security] 20220209 Vulnerability in Jenkins

Source: XF
Type: UNKNOWN
xstream-cve202143859-dos(219177)

Source: MISC
Type: Patch, Third Party Advisory
https://github.com/x-stream/xstream/commit/e8e88621ba1c85ac3b8620337dd672e0c0c3a846

Source: CCN
Type: XStream GIT Repository
XStream can cause a Denial of Service by injecting highly recursive collections or maps

Source: CONFIRM
Type: Exploit, Third Party Advisory
https://github.com/x-stream/xstream/security/advisories/GHSA-rmr5-cpv2-vgjf

Source: MLIST
Type: Mailing List, Third Party Advisory
[debian-lts-announce] 20220215 [SECURITY] [DLA 2924-1] libxstream-java security update

Source: FEDORA
Type: Mailing List, Third Party Advisory
FEDORA-2022-983a78275c

Source: FEDORA
Type: Mailing List, Third Party Advisory
FEDORA-2022-ad5cf1c0dd

Source: CCN
Type: IBM Security Bulletin 6564607 (Watson Discovery)
IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in XStream

Source: CCN
Type: IBM Security Bulletin 6570915 (Data Risk Manager)
IBM Data Risk Manager is affected by multiple vulnerabilities including a remote code execution in Spring Framework (CVE-2022-22965)

Source: CCN
Type: IBM Security Bulletin 6575535 (InfoSphere Information Server)
IBM InfoSphere Information Server is affected by multiple vulnerabilities in XStream

Source: CCN
Type: IBM Security Bulletin 6590209 (Spectrum Control)
IBM Spectrum Control is vulnerable to multiple weaknesses related to XStream, Apache Xerces2, Jackson, OpenSSL, and Java SE

Source: CCN
Type: IBM Security Bulletin 6593555 (Spectrum Copy Data Management)
Vulnerabilities in Golang Go, OpenSSL, Python, and XStream affect IBM Spectrum Copy Data Management

Source: CCN
Type: IBM Security Bulletin 6596981 (Spectrum Protect Plus)
Vulnerabilities in Samba, OpenSSL, Python, and XStream affect IBM Spectrum Protect Plus (CVE-2021-20254, CVE-2021-3712, CVE-2021-43859, CVE-2022-0778, CVE-2020-25717, CVE-2021-23192, CVE-2021-3733)

Source: CCN
Type: IBM Security Bulletin 6614725 (QRadar SIEM)
IBM QRadar SIEM includes components with multiple known vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6829869 (Sterling B2B Integrator)
IBM Sterling B2B Integrator vulnerable to denial of service due to XStream (CVE-2021-43859)

Source: CCN
Type: IBM Security Bulletin 6841035 (Security Verify Governance)
IBM Security Verify Governance is vulnerable to multiple security threats due to use of XStream

Source: CCN
Type: IBM Security Bulletin 6855831 (Tivoli Netcool Configuration Manager)
Due to the use of XStream, IBM Tivoli Netcool Configuration Manager is vulnerable to denial of service (CVE-2021-43859)

Source: CCN
Type: IBM Security Bulletin 6987685 (Engineering Test Management)
IBM Engineering Test Management is vulnerable to denial of service due to XStream (CVE-2021-43859)

Source: CCN
Type: IBM Security Bulletin 6988899 (Atlas eDiscovery Process Management)
Atlas eDiscovery Process Management is affected by a vulnerable xstream-1.4.17.jar

Source: CCN
Type: Oracle CPUApr2022
Oracle Critical Patch Update Advisory - April 2022

Source: MISC
Type: Patch, Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html

Source: CCN
Type: Oracle CPUJul2022
Oracle Critical Patch Update Advisory - July 2022

Source: N/A
Type: Patch, Third Party Advisory
N/A

Source: MISC
Type: Exploit, Vendor Advisory
https://x-stream.github.io/CVE-2021-43859.html

Vulnerable Configuration:Configuration 1:
  • cpe:/a:xstream_project:xstream:*:*:*:*:*:*:*:* (Version < 1.4.19)

    • Configuration 2:
  • cpe:/o:fedoraproject:fedora:34:*:*:*:*:*:*:*
  • OR cpe:/o:fedoraproject:fedora:35:*:*:*:*:*:*:*

    • Configuration 3:
  • cpe:/o:debian:debian_linux:9.0:*:*:*:*:*:*:*

    • Configuration 4:
  • cpe:/a:oracle:flexcube_private_banking:12.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:commerce_guided_search:11.3.2:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_xstore_point_of_service:16.0.6:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_xstore_point_of_service:17.0.4:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_xstore_point_of_service:18.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_xstore_point_of_service:19.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_xstore_point_of_service:20.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:communications_cloud_native_core_automated_test_suite:1.9.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:communications_policy_management:12.6.0.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:communications_diameter_intelligence_hub:*:*:*:*:*:*:*:* (Version >= 8.2.0 and <= 8.2.6)
  • OR cpe:/a:oracle:communications_diameter_intelligence_hub:*:*:*:*:*:*:*:* (Version >= 8.0.0 and <= 8.1.0)
  • OR cpe:/a:oracle:communications_brm_-_elastic_charging_engine:12.0.0.5.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:communications_brm_-_elastic_charging_engine:*:*:*:*:*:*:*:* (Version < 12.0.0.4.6)

    • Configuration CCN 1:
  • cpe:/a:xstream_project:xstream:1.4.18:*:*:*:*:*:*:*
  • AND
  • cpe:/a:ibm:atlas_ediscovery_process_management:6.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:tivoli_netcool_configuration_manager:6.4.2:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:flexcube_private_banking:12.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:infosphere_information_server:11.7:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:spectrum_protect_plus:10.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:qradar_security_information_and_event_manager:7.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:sterling_b2b_integrator:6.0.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:watson_discovery:2.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:qradar_security_information_and_event_manager:7.4:-:*:*:*:*:*:*
  • OR cpe:/a:ibm:sterling_b2b_integrator:6.1.0.0:*:*:*:standard:*:*:*
  • OR cpe:/a:ibm:engineering_test_management:7.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:engineering_test_management:7.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:watson_discovery:2.2.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:sterling_b2b_integrator:6.1.1.0:*:*:*:standard:*:*:*
  • OR cpe:/a:ibm:spectrum_copy_data_management:2.2.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:spectrum_copy_data_management:2.2.15.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_verify_governance:10.0:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:8073
    P
    		xstream-1.4.20-150200.3.25.1 on GA media (Moderate)
    2023-06-20
    oval:org.opensuse.security:def:3432
    P
    		apache2-mod_jk-1.2.40-7.3.1 on GA media (Moderate)
    2022-06-28
    oval:org.opensuse.security:def:95062
    P
    		xstream-1.4.19-3.18.2 on GA media (Moderate)
    2022-06-22
    oval:org.opensuse.security:def:93851
    P
    		 (Moderate)
    2022-03-14
    oval:org.opensuse.security:def:100096
    P
    		 (Moderate)
    2022-03-14
    oval:org.opensuse.security:def:102178
    P
    		Security update for xstream (Moderate)
    2022-03-14
    oval:org.opensuse.security:def:94063
    P
    		 (Moderate)
    2022-03-14
    oval:org.opensuse.security:def:100434
    P
    		 (Moderate)
    2022-03-14
    oval:org.opensuse.security:def:119146
    P
    		Security update for xstream (Moderate)
    2022-03-14
    oval:org.opensuse.security:def:1195
    P
    		Security update for xstream (Moderate)
    2022-03-14
    oval:org.opensuse.security:def:94277
    P
    		 (Moderate)
    2022-03-14
    oval:org.opensuse.security:def:100768
    P
    		 (Moderate)
    2022-03-14
    oval:org.opensuse.security:def:94484
    P
    		 (Moderate)
    2022-03-14
    oval:org.opensuse.security:def:101857
    P
    		Security update for xstream (Moderate)
    2022-03-14
    BACK
    xstream_project xstream *
    fedoraproject fedora 34
    fedoraproject fedora 35
    debian debian linux 9.0
    oracle flexcube private banking 12.1.0
    oracle commerce guided search 11.3.2
    oracle retail xstore point of service 16.0.6
    oracle retail xstore point of service 17.0.4
    oracle retail xstore point of service 18.0.3
    oracle retail xstore point of service 19.0.2
    oracle retail xstore point of service 20.0.1
    oracle communications cloud native core automated test suite 1.9.0
    oracle communications policy management 12.6.0.0.0
    oracle communications diameter intelligence hub *
    oracle communications diameter intelligence hub *
    oracle communications brm - elastic charging engine 12.0.0.5.0
    oracle communications brm - elastic charging engine *
    xstream_project xstream 1.4.18
    ibm atlas ediscovery process management 6.0.3
    ibm tivoli netcool configuration manager 6.4.2
    oracle flexcube private banking 12.1
    ibm infosphere information server 11.7
    ibm spectrum protect plus 10.1.0
    ibm qradar security information and event manager 7.3
    ibm sterling b2b integrator 6.0.0.0
    ibm watson discovery 2.0.0
    ibm qradar security information and event manager 7.4 -
    ibm sterling b2b integrator 6.1.0.0
    ibm engineering test management 7.0.1
    ibm engineering test management 7.0.2
    ibm watson discovery 2.2.1
    ibm sterling b2b integrator 6.1.1.0
    ibm spectrum copy data management 2.2.0.0
    ibm spectrum copy data management 2.2.15.0
    ibm security verify governance 10.0