Is CVE-2021-21341 being actively exploited?

It is not currently in CISA's KEV catalog. Its EPSS exploitation probability is 78%.

What products does CVE-2021-21341 affect?

Tracked products affected include ActiveMQ. Check the version you run to see whether it is affected.

How do I fix CVE-2021-21341?

Apply the vendor fix promptly. Upgrade affected products to a fixed version.

CVE-2021-21341

Q: What is CVE-2021-21341?

CVE-2021-21341 is a high-severity software vulnerability (Uncontrolled resource consumption) with a CVSS score of 7.5. XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is vulnerability which may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or paralle

HIGH severity · CVSS 7.5 · Uncontrolled resource consumption

7.5CVSS HIGH

Summary

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is vulnerability which may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream. No user is affected who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.

Impact & exploitability

Attack vectorNetwork

Attack complexityLow

Privileges requiredNone

User interactionNone

Confidentiality impactNone

Integrity impactNone

Availability impactHigh

Exploit probability (EPSS)78%

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected products we track (1)

ActiveMQ

Recommendation

Apply the vendor fix promptly. Open any affected product above for its exact safe version.

CVE-2021-21341

Summary

Impact & exploitability

Affected products we track (1)

Recommendation

Additional information