Описание
XStream is a simple library to serialize objects to XML and back again. This vulnerability may allow a remote attacker to terminate the application with a stack overflow error resulting in a denial of service only by manipulating the processed input stream when XStream is configured to use the BinaryStreamDriver. XStream 1.4.21 has been patched to detect the manipulation in the binary input stream causing the the stack overflow and raises an InputManipulationException instead. Users are advised to upgrade. Users unable to upgrade may catch the StackOverflowError in the client code calling XStream if XStream is configured to use the BinaryStreamDriver.
A flaw was found in the XStream library. A remote attacker may trigger a denial of service by manipulating the processed input stream when XStream is configured to use the BinaryStreamDriver. This issue may lead to the termination of the application.
Отчет
This vulnerability in XStream is considered an Important severity rather than Moderate because it exposes applications to a denial of service (DoS) attack with relative ease. By exploiting the flaw in the BinaryStreamDriver, an attacker can manipulate the binary input stream to trigger a stack overflow, which terminates the application unexpectedly. Unlike moderate vulnerabilities, which may require specific conditions or limited privileges, this flaw enables remote attackers to forcefully terminate services by crafting malicious input, impacting system availability. Additionally, the vulnerability’s reliance on a common serialization mechanism elevates the risk, as it may affect applications across various environments and industries where XStream is deployed.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| AMQ Clients | com.thoughtworks.xstream/xstream | Affected | ||
| A-MQ Clients 2 | com.thoughtworks.xstream/xstream | Not affected | ||
| Cryostat 3 | com.thoughtworks.xstream/xstream | Affected | ||
| Logging Subsystem for Red Hat OpenShift | com.thoughtworks.xstream/xstream | Not affected | ||
| Red Hat build of Apache Camel 4 for Quarkus 3 | com.thoughtworks.xstream/xstream | Not affected | ||
| Red Hat build of Apache Camel for Spring Boot 3 | com.thoughtworks.xstream/xstream | Will not fix | ||
| Red Hat build of Apache Camel - HawtIO 4 | com.thoughtworks.xstream/xstream | Not affected | ||
| Red Hat build of Apicurio Registry 2 | com.thoughtworks.xstream/xstream | Not affected | ||
| Red Hat build of Debezium 2 | com.thoughtworks.xstream/xstream | Will not fix | ||
| Red Hat build of OptaPlanner 8 | com.thoughtworks.xstream/xstream | Will not fix |
Показывать по
Ссылки на источники
Дополнительная информация
Статус:
EPSS
7.5 High
CVSS3
Связанные уязвимости
XStream is a simple library to serialize objects to XML and back again. This vulnerability may allow a remote attacker to terminate the application with a stack overflow error resulting in a denial of service only by manipulating the processed input stream when XStream is configured to use the BinaryStreamDriver. XStream 1.4.21 has been patched to detect the manipulation in the binary input stream causing the the stack overflow and raises an InputManipulationException instead. Users are advised to upgrade. Users unable to upgrade may catch the StackOverflowError in the client code calling XStream if XStream is configured to use the BinaryStreamDriver.
XStream is a simple library to serialize objects to XML and back again. This vulnerability may allow a remote attacker to terminate the application with a stack overflow error resulting in a denial of service only by manipulating the processed input stream when XStream is configured to use the BinaryStreamDriver. XStream 1.4.21 has been patched to detect the manipulation in the binary input stream causing the the stack overflow and raises an InputManipulationException instead. Users are advised to upgrade. Users unable to upgrade may catch the StackOverflowError in the client code calling XStream if XStream is configured to use the BinaryStreamDriver.
XStream is a simple library to serialize objects to XML and back again ...
XStream is vulnerable to a Denial of Service attack due to stack overflow from a manipulated binary input stream
EPSS
7.5 High
CVSS3