CVE-2021-21341 Overview
CVE-2021-21341 is a denial of service vulnerability in XStream, a Java library used to serialize objects to XML and back again. In XStream versions prior to 1.4.16, a remote attacker can manipulate the processed input stream to allocate 100% CPU time on the target system. The impact depends on the CPU type or parallel execution of such a payload, resulting in service unavailability. This vulnerability is classified as Resource Exhaustion (CWE-400) combined with Insecure Deserialization (CWE-502).
Users who followed the recommendation to configure XStream's security framework with a whitelist limited to minimal required types are not affected. However, those relying on XStream's default blacklist of the Security Framework must upgrade to at least version 1.4.16.
Critical Impact
Remote attackers can cause complete denial of service by consuming 100% CPU resources through specially crafted XML input, potentially rendering enterprise Java applications unresponsive.
Affected Products
- XStream versions prior to 1.4.16
- Apache ActiveMQ versions 5.16.0 and 5.16.1
- Apache JMeter (multiple versions)
- NetApp OnCommand Insight
- Debian Linux versions 9.0, 10.0, 11.0
- Fedora versions 33, 34, 35
- Oracle Banking Enterprise Default Management versions 2.10.0, 2.12.0
- Oracle Banking Platform versions 2.4.0, 2.7.1, 2.9.0, 2.12.0
- Oracle Business Activity Monitoring versions 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
- Oracle Communications Billing and Revenue Management Elastic Charging Engine 12.0.0.3.0
- Oracle Communications Unified Inventory Management versions 7.3.2 through 7.4.1
- Oracle Retail XStore Point of Service versions 16.0.6, 17.0.4, 18.0.3, 19.0.2
- Oracle WebCenter Portal versions 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
Discovery Timeline
- March 23, 2021 - CVE-2021-21341 published to NVD
- May 23, 2025 - Last updated in NVD database
Technical Details for CVE-2021-21341
Vulnerability Analysis
The vulnerability exists in how XStream processes certain XML input during deserialization operations. An attacker can craft a malicious XML payload that, when processed by XStream, causes the library to enter computationally expensive operations that consume excessive CPU resources. This is a combination of improper input validation leading to resource exhaustion (CWE-400) and insecure deserialization practices (CWE-502).
The attack requires no authentication and can be executed remotely over the network. The impact is limited to availability—there is no compromise of confidentiality or integrity. However, the denial of service can be severe, particularly in environments where multiple instances process such payloads in parallel, amplifying the CPU exhaustion effect.
Root Cause
The root cause lies in XStream's default blacklist-based security model, which fails to adequately restrict certain object types during deserialization. When XStream processes specially crafted XML input, it can instantiate objects that trigger algorithmic complexity attacks or infinite processing loops. The blacklist approach inherently cannot anticipate all potentially dangerous class combinations, making whitelist-based security the recommended mitigation.
Attack Vector
The attack is network-based and requires no user interaction or privileges. An attacker sends a maliciously crafted XML payload to any application endpoint that uses XStream for deserialization. The vulnerable application processes the input, triggering CPU-intensive operations that can consume 100% of available CPU resources. The attack can be sustained by repeatedly sending malicious payloads, maintaining the denial of service condition.
The exploitation involves manipulating the XML structure to trigger resource-intensive processing paths in XStream's deserialization logic. Since no authentication is required and the attack vector is network-accessible, any externally exposed application using vulnerable XStream versions is at risk.
Detection Methods for CVE-2021-21341
Indicators of Compromise
- Sudden and sustained 100% CPU utilization on Java application servers
- Application endpoints processing XML becoming unresponsive
- Unusual patterns in XML deserialization logs showing repetitive or deeply nested structures
- Java process threads blocked in XStream deserialization methods
Detection Strategies
- Monitor CPU utilization patterns for Java applications using XStream, alerting on sustained high CPU usage
- Implement application-level logging to track XML deserialization operations and payload sizes
- Deploy Web Application Firewall (WAF) rules to detect anomalous XML payloads targeting deserialization endpoints
- Use Java profiling tools to identify XStream methods consuming excessive CPU cycles
Monitoring Recommendations
- Configure CPU threshold alerts for Java application servers at 80% sustained utilization
- Enable detailed logging for XML processing endpoints to capture payload characteristics
- Monitor request latency for endpoints that utilize XStream deserialization
- Track thread pool exhaustion metrics in Java application servers
How to Mitigate CVE-2021-21341
Immediate Actions Required
- Upgrade XStream to version 1.4.16 or later immediately
- Configure XStream's security framework with an explicit whitelist of minimal required types
- Review all applications using XStream and identify externally exposed deserialization endpoints
- Implement rate limiting on endpoints that process XML input
Patch Information
The vulnerability is fixed in XStream version 1.4.16. Users should upgrade to this version or later. For detailed patch information, see the X-Stream Changes Log 1.4.16. Oracle has also released patches through their Critical Patch Updates—refer to Oracle Security Alert CPU January 2022 for Oracle product updates.
Additional vendor advisories include NetApp Security Advisory NTAP-20210430-0002 for OnCommand Insight and Debian Security DSA-5004 for Debian Linux systems.
Workarounds
- Implement a whitelist-based security configuration in XStream limiting allowed types to only those explicitly required
- Block or filter XML input at the network perimeter for untrusted sources
- Isolate XStream-dependent services behind authentication and access controls
- Consider alternative serialization libraries if XStream's security model cannot be adequately configured
// XStream whitelist security configuration example
XStream xstream = new XStream();
// Clear existing permissions
xstream.addPermission(NoTypePermission.NONE);
// Only allow explicitly whitelisted types
xstream.addPermission(NullPermission.NULL);
xstream.addPermission(PrimitiveTypePermission.PRIMITIVES);
xstream.allowTypeHierarchy(Collection.class);
// Add only required application-specific types
xstream.allowTypes(new Class[] { YourSafeClass.class });
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
