CVE-2021-21341

7.5 HIGH

Denial of Service

📋 TL;DR

CVE-2021-21341 is a denial-of-service vulnerability in XStream library where specially crafted XML input can cause 100% CPU consumption on target systems. Only users who haven't implemented XStream's security framework with a minimal type whitelist are affected. Users relying on default blacklists are vulnerable.

💻 Affected Systems

Products:

XStream
Applications using XStream library

Versions: All versions before 1.4.16

Operating Systems: All platforms running Java

Default Config Vulnerable: ⚠️ Yes

Notes: Only vulnerable if using default security configuration without proper type whitelist

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system unavailability due to 100% CPU consumption, potentially affecting multiple systems if exploited in parallel

🟠

Likely Case

Degraded performance or temporary service disruption on affected systems processing malicious XML

🟢

If Mitigated

No impact for users who implemented proper type whitelisting as recommended

🌐 Internet-Facing: MEDIUM - Exploitation requires XML processing endpoint exposure, but many applications use XStream internally

🏢 Internal Only: MEDIUM - Internal applications processing untrusted XML could be affected

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires ability to submit XML input to XStream parser

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.4.16

Vendor Advisory: https://github.com/x-stream/xstream/security/advisories/GHSA-2p3x-qw9c-25hh

Restart Required: Yes

Instructions:

1. Update XStream dependency to version 1.4.16 or later
2. Update pom.xml or build.gradle to use XStream >=1.4.16
3. Redeploy application
4. Verify update with version check

🔧 Temporary Workarounds

Implement Type Whitelist

all

Configure XStream security framework with minimal required type whitelist instead of default blacklist

xstream.addPermission(new ExplicitTypePermission(new Class[]{YourAllowedClass.class}));

🧯 If You Can't Patch

Implement strict input validation and sanitization for all XML input
Deploy network controls to limit XML processing to trusted sources only

🔍 How to Verify

Check if Vulnerable:

Check XStream version in application dependencies or classpath

Check Version:

java -cp "xstream-*.jar" com.thoughtworks.xstream.XStream --version

Verify Fix Applied:

Verify XStream version is 1.4.16 or higher in deployed application

📡 Detection & Monitoring

Log Indicators:

High CPU usage spikes
XML parsing errors
Application performance degradation

Network Indicators:

Unusual XML payloads to application endpoints
Repeated XML submissions

SIEM Query:

source="application.logs" AND ("CPU 100%" OR "XStream" OR "XML parsing")

📊 Metadata

CVE ID: CVE-2021-21341

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-400

Published: March 23, 2021

Last Updated: May 23, 2025

🔗 References

http://x-stream.github.io/changes.html#1.4.16 Release Notes,Third Party Advisory
https://github.com/x-stream/xstream/security/advisories/GHSA-2p3x-qw9c-25hh Third Party Advisory
https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd%40%3Cusers.activemq.apache.org%3E Issue Tracking,Mailing List,Third Party Advisory
https://lists.apache.org/thread.html/r9ac71b047767205aa22e3a08cb33f3e0586de6b2fac48b425c6e16b0%40%3Cdev.jmeter.apache.org%3E Issue Tracking,Mailing List,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/04/msg00002.html Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/ Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/ Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/ Mailing List,Third Party Advisory
https://security.netapp.com/advisory/ntap-20210430-0002/ Third Party Advisory
https://www.debian.org/security/2021/dsa-5004 Mailing List,Third Party Advisory
https://www.oracle.com//security-alerts/cpujul2021.html Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.html Patch,Vendor Advisory
https://www.oracle.com/security-alerts/cpuoct2021.html Third Party Advisory
https://x-stream.github.io/CVE-2021-21341.html Exploit,Third Party Advisory
https://x-stream.github.io/security.html#workaround Mitigation,Third Party Advisory
http://x-stream.github.io/changes.html#1.4.16 Release Notes,Third Party Advisory
https://github.com/x-stream/xstream/security/advisories/GHSA-2p3x-qw9c-25hh Third Party Advisory
https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd%40%3Cusers.activemq.apache.org%3E Issue Tracking,Mailing List,Third Party Advisory
https://lists.apache.org/thread.html/r9ac71b047767205aa22e3a08cb33f3e0586de6b2fac48b425c6e16b0%40%3Cdev.jmeter.apache.org%3E Issue Tracking,Mailing List,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/04/msg00002.html Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/ Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/ Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/ Mailing List,Third Party Advisory
https://security.netapp.com/advisory/ntap-20210430-0002/ Third Party Advisory
https://www.debian.org/security/2021/dsa-5004 Mailing List,Third Party Advisory
https://www.oracle.com//security-alerts/cpujul2021.html Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.html Patch,Vendor Advisory
https://www.oracle.com/security-alerts/cpuoct2021.html Third Party Advisory
https://x-stream.github.io/CVE-2021-21341.html Exploit,Third Party Advisory
https://x-stream.github.io/security.html#workaround Mitigation,Third Party Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Activemq by Apache

Activemq by Apache

Activemq by Apache

Banking Enterprise Default Management by Oracle

Banking Enterprise Default Management by Oracle

Banking Platform by Oracle

Banking Platform by Oracle

Banking Platform by Oracle

Banking Platform by Oracle

Business Activity Monitoring by Oracle

Business Activity Monitoring by Oracle

Business Activity Monitoring by Oracle

Communications Billing And Revenue Management Elastic Charging Engine by Oracle

Communications Unified Inventory Management by Oracle

Communications Unified Inventory Management by Oracle

Communications Unified Inventory Management by Oracle

Communications Unified Inventory Management by Oracle

Communications Unified Inventory Management by Oracle

Debian Linux by Debian

Debian Linux by Debian

Debian Linux by Debian

Fedora by Fedoraproject

Fedora by Fedoraproject

Fedora by Fedoraproject

Jmeter by Apache

Oncommand Insight by Netapp

Retail Xstore Point Of Service by Oracle

Retail Xstore Point Of Service by Oracle

Retail Xstore Point Of Service by Oracle

Retail Xstore Point Of Service by Oracle

Webcenter Portal by Oracle

Webcenter Portal by Oracle

Webcenter Portal by Oracle

Xstream by Xstream

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Implement Type Whitelist

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities