CVE-2021-21348 Overview
CVE-2021-21348 is a denial of service vulnerability in XStream, a popular Java library used to serialize objects to XML and back again. In versions prior to 1.4.16, a remote attacker can craft malicious XML input that causes a thread to consume maximum CPU time indefinitely without returning, effectively creating a resource exhaustion condition.
The vulnerability exploits weaknesses in XStream's default security configuration. Applications that rely on XStream's built-in blacklist approach for security rather than implementing a proper whitelist are susceptible to this attack. The flaw enables unauthenticated attackers to degrade application performance or cause complete service unavailability through sustained CPU exhaustion.
Critical Impact
Remote attackers can exploit this vulnerability to cause complete denial of service by consuming maximum CPU resources on threads processing malicious XML input, potentially rendering affected applications and services unavailable.
Affected Products
- XStream versions prior to 1.4.16
- Apache ActiveMQ 5.16.0 and 5.16.1
- Apache JMeter (versions using vulnerable XStream)
- NetApp OnCommand Insight
- Debian Linux 9.0, 10.0, and 11.0
- Fedora 33, 34, and 35
- Oracle Banking Enterprise Default Management 2.10.0 and 2.12.0
- Oracle Banking Platform 2.4.0, 2.7.1, 2.9.0, and 2.12.0
- Oracle Banking Virtual Account Management 14.2.0, 14.3.0, and 14.5.0
- Oracle Business Activity Monitoring 11.1.1.9.0, 12.2.1.3.0, and 12.2.1.4.0
- Oracle Communications Billing and Revenue Management Elastic Charging Engine 12.0.0.3.0
- Oracle Communications Policy Management 12.5.0
- Oracle Communications Unified Inventory Management 7.3.2 through 7.4.1
- Oracle MySQL Server
- Oracle Retail XStore Point of Service 16.0.6, 17.0.4, 18.0.3, and 19.0.2
- Oracle WebCenter Portal 11.1.1.9.0, 12.2.1.3.0, and 12.2.1.4.0
Discovery Timeline
- 2021-03-23 - CVE-2021-21348 published to NVD
- 2025-05-23 - Last updated in NVD database
Technical Details for CVE-2021-21348
Vulnerability Analysis
This vulnerability falls under CWE-400 (Uncontrolled Resource Consumption). The flaw exists in how XStream processes certain XML constructs during deserialization. When XStream encounters specially crafted XML input, the parsing logic enters a state where a processing thread consumes maximum CPU cycles without completing its operation or returning control.
The attack can be executed remotely over the network without requiring authentication or user interaction. The vulnerability specifically impacts system availability while leaving data confidentiality and integrity unaffected. Applications that process untrusted XML input through XStream are particularly at risk.
The vulnerability's impact is limited to users who have not configured XStream's security framework with an explicit whitelist of allowed types. Organizations that followed the recommended security practice of implementing type whitelisting are not affected by this vulnerability.
Root Cause
The root cause stems from XStream's default security approach using a blacklist mechanism rather than a whitelist. The blacklist attempts to block known dangerous types during deserialization, but this approach is inherently incomplete. The vulnerability exploits types or constructs not included in the blacklist that can trigger infinite or extremely long-running CPU-bound operations.
When processing malicious input, the deserialization logic fails to properly bound the computational complexity of certain operations, allowing attackers to trigger algorithmic complexity attacks that exhaust CPU resources.
Attack Vector
The attack is network-based and requires no authentication or privileges. An attacker can exploit this vulnerability by sending specially crafted XML payloads to any endpoint that deserializes XML using a vulnerable version of XStream. The attack does not require any user interaction.
Attack scenarios include:
- Targeting REST APIs that accept XML input
- Exploiting SOAP web services using XStream for parsing
- Attacking message queue consumers (such as Apache ActiveMQ)
- Targeting any application that processes user-supplied XML through XStream
The malicious XML payload triggers CPU-intensive processing that blocks the handling thread indefinitely. In multi-threaded applications, repeated attacks can exhaust the thread pool, leading to complete service unavailability.
Detection Methods for CVE-2021-21348
Indicators of Compromise
- Unusual CPU spikes on servers running Java applications that use XStream
- Thread pool exhaustion in application servers with threads stuck in XML parsing operations
- Application unresponsiveness following receipt of XML payloads
- Log entries indicating XStream deserialization operations that never complete
- Monitoring alerts for abnormally long-running request processing times
Detection Strategies
- Monitor Java application thread dumps for threads blocked in XStream deserialization code paths
- Implement application performance monitoring (APM) to detect CPU exhaustion patterns
- Use Web Application Firewalls (WAF) to inspect and potentially block suspicious XML payloads
- Deploy runtime application self-protection (RASP) solutions to detect deserialization attacks
- Audit application dependencies to identify vulnerable XStream library versions
Monitoring Recommendations
- Configure alerting for sustained high CPU utilization on application servers
- Monitor thread pool metrics and alert on thread starvation conditions
- Track request processing times and alert on requests exceeding normal thresholds
- Implement logging for XStream deserialization events with timing information
- Use security information and event management (SIEM) correlation rules to detect patterns of DoS attempts
How to Mitigate CVE-2021-21348
Immediate Actions Required
- Upgrade XStream to version 1.4.16 or later immediately
- Implement XStream's security framework with an explicit whitelist of required types
- Review all applications using XStream and prioritize patching internet-facing services
- Consider temporarily disabling XML-based endpoints until patches can be applied
- Implement rate limiting on endpoints that process XML input
Patch Information
XStream version 1.4.16 contains the fix for this vulnerability. The patch addresses the CPU exhaustion issue by improving input validation and processing controls during deserialization. For detailed information about the fix, refer to the X-Stream Changes Summary.
Multiple vendors have released patches incorporating the fixed XStream library:
- Oracle addressed this in their January 2022 Critical Patch Update
- NetApp released Security Advisory NTAP-20210430-0002
- Debian published DSA-5004
- Fedora released package updates for affected distributions
For additional technical details about this vulnerability, see the GitHub Security Advisory GHSA-56p8-3fh9-4cvq and the X-Stream CVE-2021-21348 Details.
Workarounds
- Configure XStream with a strict whitelist using the security framework, limiting deserialization to only the minimum required types
- Implement request timeout controls at the application or load balancer level to terminate long-running requests
- Deploy network-level controls to rate-limit or filter XML traffic to affected services
- Consider using alternative serialization mechanisms if XStream cannot be immediately upgraded
- Implement resource quotas for thread pools handling XML deserialization to prevent complete service exhaustion
# Maven dependency update example - update pom.xml to use patched version
# Replace existing XStream dependency with:
# <dependency>
# <groupId>com.thoughtworks.xstream</groupId>
# <artifactId>xstream</artifactId>
# <version>1.4.16</version>
# </dependency>
# Verify XStream version in your application
mvn dependency:tree | grep xstream
# For Gradle projects, update build.gradle:
# implementation 'com.thoughtworks.xstream:xstream:1.4.16'
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
