{"schema_version":"1.7.2","id":"OESA-2022-1512","modified":"2022-02-11T11:03:30Z","published":"2022-02-11T11:03:30Z","upstream":["CVE-2021-43859"],"summary":"xstream security update","details":"Java XML serialization library.\r\n\r\nSecurity Fix(es):\r\n\r\nXStream is an open source java library to serialize objects to XML and back again. Versions prior to 1.4.19 may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream. XStream 1.4.19 monitors and accumulates the time it takes to add elements to collections and throws an exception if a set threshold is exceeded. Users are advised to upgrade as soon as possible. Users unable to upgrade may set the NO_REFERENCE mode to prevent recursion. See GHSA-rmr5-cpv2-vgjf for further details on a workaround if an upgrade is not possible.(CVE-2021-43859)","affected":[{"package":{"ecosystem":"openEuler:20.03-LTS-SP1","name":"xstream","purl":"pkg:rpm/openEuler/xstream\u0026distro=openEuler-20.03-LTS-SP1"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.4.18-2.oe1"}]}],"ecosystem_specific":{"noarch":["xstream-javadoc-1.4.18-2.oe1.noarch.rpm","xstream-1.4.18-2.oe1.noarch.rpm","xstream-hibernate-1.4.18-2.oe1.noarch.rpm","xstream-benchmark-1.4.18-2.oe1.noarch.rpm","xstream-parent-1.4.18-2.oe1.noarch.rpm"],"src":["xstream-1.4.18-2.oe1.src.rpm"]}},{"package":{"ecosystem":"openEuler:20.03-LTS-SP2","name":"xstream","purl":"pkg:rpm/openEuler/xstream\u0026distro=openEuler-20.03-LTS-SP2"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.4.18-2.oe1"}]}],"ecosystem_specific":{"noarch":["xstream-benchmark-1.4.18-2.oe1.noarch.rpm","xstream-parent-1.4.18-2.oe1.noarch.rpm","xstream-javadoc-1.4.18-2.oe1.noarch.rpm","xstream-1.4.18-2.oe1.noarch.rpm","xstream-hibernate-1.4.18-2.oe1.noarch.rpm"],"src":["xstream-1.4.18-2.oe1.src.rpm"]}},{"package":{"ecosystem":"openEuler:20.03-LTS-SP3","name":"xstream","purl":"pkg:rpm/openEuler/xstream\u0026distro=openEuler-20.03-LTS-SP3"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.4.18-2.oe1"}]}],"ecosystem_specific":{"noarch":["xstream-benchmark-1.4.18-2.oe1.noarch.rpm","xstream-javadoc-1.4.18-2.oe1.noarch.rpm","xstream-1.4.18-2.oe1.noarch.rpm","xstream-hibernate-1.4.18-2.oe1.noarch.rpm","xstream-parent-1.4.18-2.oe1.noarch.rpm"],"src":["xstream-1.4.18-2.oe1.src.rpm"]}}],"references":[{"type":"ADVISORY","url":"https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1512"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-43859"}],"database_specific":{"severity":"High"}}