XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStreams security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.
The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Xstream | Xstream | * | 1.4.18 (excluding) |
| Red Hat Data Grid 8.3.0 | RedHat | xstream | * |
| Red Hat Enterprise Linux 7 | RedHat | xstream-0:1.3.1-16.el7_9 | * |
| Red Hat Integration | RedHat | xstream | * |
| Red Hat Integration Camel Quarkus 2 | RedHat | xstream | * |
| RHDM 7.12.0 | RedHat | xstream | * |
| RHPAM 7.12.0 | RedHat | xstream | * |
| Libxstream-java | Ubuntu | bionic | * |
| Libxstream-java | Ubuntu | esm-apps/bionic | * |
| Libxstream-java | Ubuntu | esm-apps/focal | * |
| Libxstream-java | Ubuntu | focal | * |
| Libxstream-java | Ubuntu | hirsute | * |
| Libxstream-java | Ubuntu | impish | * |
| Libxstream-java | Ubuntu | trusty | * |
| Libxstream-java | Ubuntu | xenial | * |