CVE-2021-43859: 
Java vulnerability analysis and mitigation

XStream, an open source Java library used to serialize objects to XML and back again, was found to be vulnerable to a Denial of Service attack (CVE-2021-43859). The vulnerability affects all versions up to and including 1.4.18. The issue was discovered by r00t4dm at Cloud-Penetrating Arrow Lab and was patched in version 1.4.19 (XStream Doc).

The vulnerability occurs during the unmarshalling process when XStream recreates objects based on type information in the processed stream. An attacker can manipulate the input stream to inject objects that cause exponential recursive hashcode calculations. The issue affects several Java collection types including HashMap, HashSet, Hashtable, LinkedHashMap, LinkedHashSet, and in older Java versions, Stack and Vector. The vulnerability is present in formats that support references, such as XML, but does not affect JSON (XStream Doc, Jenkins Advisory).

A successful exploit allows remote attackers to cause a Denial of Service by consuming 100% CPU resources on the target system. The attack can be executed by manipulating the processed input stream, with the calculation time increasing exponentially due to the highly recursive structure (XStream Doc).

Several workarounds are available: 1) Set NO_REFERENCE mode if the object graph doesn't use referenced elements, 2) Use the security framework to deny usage of affected collection types, 3) Change the default implementation of java.util.Map and java.util.Set to TreeMap and TreeSet respectively at unmarshalling time. The permanent fix is to upgrade to XStream version 1.4.19, which monitors and accumulates the time taken to add elements to collections and throws an exception if a set threshold is exceeded (XStream Doc, GitHub Advisory).