{"id":"OESA-2022-1512","summary":"xstream security update","details":"Java XML serialization library.\r\n\r\nSecurity Fix(es):\r\n\r\nXStream is an open source java library to serialize objects to XML and back again. Versions prior to 1.4.19 may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream. XStream 1.4.19 monitors and accumulates the time it takes to add elements to collections and throws an exception if a set threshold is exceeded. Users are advised to upgrade as soon as possible. Users unable to upgrade may set the NO_REFERENCE mode to prevent recursion. See GHSA-rmr5-cpv2-vgjf for further details on a workaround if an upgrade is not possible.(CVE-2021-43859)","modified":"2026-03-11T06:04:07.097878Z","published":"2022-02-11T11:03:30Z","upstream":["CVE-2021-43859"],"database_specific":{"severity":"High"},"references":[{"type":"ADVISORY","url":"https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1512"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-43859"}],"affected":[{"package":{"name":"xstream","ecosystem":"openEuler:20.03-LTS-SP1","purl":"pkg:rpm/openEuler/xstream&distro=openEuler-20.03-LTS-SP1"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.4.18-2.oe1"}]}],"ecosystem_specific":{"src":["xstream-1.4.18-2.oe1.src.rpm"],"noarch":["xstream-javadoc-1.4.18-2.oe1.noarch.rpm","xstream-1.4.18-2.oe1.noarch.rpm","xstream-hibernate-1.4.18-2.oe1.noarch.rpm","xstream-benchmark-1.4.18-2.oe1.noarch.rpm","xstream-parent-1.4.18-2.oe1.noarch.rpm"]},"database_specific":{"source":"https://repo.openeuler.org/security/data/osv/OESA-2022-1512.json"}},{"package":{"name":"xstream","ecosystem":"openEuler:20.03-LTS-SP2","purl":"pkg:rpm/openEuler/xstream&distro=openEuler-20.03-LTS-SP2"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.4.18-2.oe1"}]}],"ecosystem_specific":{"src":["xstream-1.4.18-2.oe1.src.rpm"],"noarch":["xstream-benchmark-1.4.18-2.oe1.noarch.rpm","xstream-parent-1.4.18-2.oe1.noarch.rpm","xstream-javadoc-1.4.18-2.oe1.noarch.rpm","xstream-1.4.18-2.oe1.noarch.rpm","xstream-hibernate-1.4.18-2.oe1.noarch.rpm"]},"database_specific":{"source":"https://repo.openeuler.org/security/data/osv/OESA-2022-1512.json"}},{"package":{"name":"xstream","ecosystem":"openEuler:20.03-LTS-SP3","purl":"pkg:rpm/openEuler/xstream&distro=openEuler-20.03-LTS-SP3"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.4.18-2.oe1"}]}],"ecosystem_specific":{"src":["xstream-1.4.18-2.oe1.src.rpm"],"noarch":["xstream-benchmark-1.4.18-2.oe1.noarch.rpm","xstream-javadoc-1.4.18-2.oe1.noarch.rpm","xstream-1.4.18-2.oe1.noarch.rpm","xstream-hibernate-1.4.18-2.oe1.noarch.rpm","xstream-parent-1.4.18-2.oe1.noarch.rpm"]},"database_specific":{"source":"https://repo.openeuler.org/security/data/osv/OESA-2022-1512.json"}}],"schema_version":"1.7.5"}