CVE-2021-39140

XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.

XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.

### Impact The vulnerability may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. ### Patches XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose. ### Workarounds See [workarounds](https://x-stream.github.io/security.html#workaround) for the different versions covering all CVEs. ### References See full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for [CVE-2021-39140](https://x-stream.github.io/CVE-2021-39140.html). ### Credits The vulnerability was discovered and reported by Lai Han of nsfocus security team. ### For more information If you have any questions or comments about this advisory: * Open an issue in [XStream](https://github.com/x-stream/xstream/issues) * Contact us at [XStream Google Group](https://groups.google.com/group/xstream-user)

### Impact The vulnerability may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. ### Patches XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose. ### Workarounds See [workarounds](https://x-stream.github.io/security.html#workaround) for the different versions covering all CVEs. ### References See full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for [CVE-2021-39140](https://x-stream.github.io/CVE-2021-39140.html). ### Credits The vulnerability was discovered and reported by Lai Han of nsfocus security team. ### For more information If you have any questions or comments about this advisory: * Open an issue in [XStream](https://github.com/x-stream/xstream/issues) * Contact us at [XStream Google Group](https://groups.google.com/group/xstream-user)

XStream es una sencilla biblioteca para serializar objetos a XML y viceversa. En las versiones afectadas, esta vulnerabilidad puede permitir a un atacante remoto asignar el 100% del tiempo de la CPU en el sistema de destino, dependiendo del tipo de CPU o de una ejecución en paralelo de dicha carga útil, resultando en una denegación de servicio sólo al manipular el flujo de entrada procesado. No está afectado ningún usuario que haya seguido la recomendación de configurar el framework de seguridad de XStream con una lista blanca limitada a los tipos mínimos necesarios. XStream versión 1.4.18 ya no usa una lista negra por defecto, ya que no puede ser asegurada para fines generales.