Описание
Security update for xstream
This update for xstream fixes the following issues:
-
CVE-2022-40151: Fixed stackoverflow in XML serialization (bsc#1203520).
-
CVE-2022-41966: Fixed denial of service via uncontrolled recursion during deserialization (bsc#1206729).
-
Upgrade to 1.4.20.
Список пакетов
Container suse/manager/5.0/x86_64/server:latest
Image SLES15-SP3-Manager-4-2-Server-BYOS-Azure
Image SLES15-SP3-Manager-4-2-Server-BYOS-EC2-HVM
Image SLES15-SP3-Manager-4-2-Server-BYOS-GCE
Image SLES15-SP4-Manager-Server-4-3
Image SLES15-SP4-Manager-Server-4-3-Azure-llc
Image SLES15-SP4-Manager-Server-4-3-Azure-ltd
Image SLES15-SP4-Manager-Server-4-3-BYOS
Image SLES15-SP4-Manager-Server-4-3-BYOS-Azure
Image SLES15-SP4-Manager-Server-4-3-BYOS-EC2
Image SLES15-SP4-Manager-Server-4-3-BYOS-GCE
Image SLES15-SP4-Manager-Server-4-3-EC2-llc
Image SLES15-SP4-Manager-Server-4-3-EC2-ltd
Image server-image
SUSE Enterprise Storage 7
SUSE Enterprise Storage 7.1
SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS
SUSE Linux Enterprise High Performance Computing 15 SP3-ESPOS
SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS
SUSE Linux Enterprise Module for Development Tools 15 SP4
SUSE Linux Enterprise Real Time 15 SP3
SUSE Linux Enterprise Server 15 SP2-LTSS
SUSE Linux Enterprise Server 15 SP3-LTSS
SUSE Linux Enterprise Server for SAP Applications 15 SP2
SUSE Linux Enterprise Server for SAP Applications 15 SP3
SUSE Manager Server Module 4.2
SUSE Manager Server Module 4.3
openSUSE Leap 15.4
Ссылки
- Link for SUSE-SU-2023:1673-1
- E-Mail link for SUSE-SU-2023:1673-1
- SUSE Security Ratings
- SUSE Bug 1203520
- SUSE Bug 1206729
- SUSE CVE CVE-2022-40151 page
- SUSE CVE CVE-2022-41966 page
Описание
Those using Xstream to seralize XML data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack.
Затронутые продукты
Ссылки
- CVE-2022-40151
- SUSE Bug 1203520
Описание
XStream serializes Java objects to XML and back again. Versions prior to 1.4.20 may allow a remote attacker to terminate the application with a stack overflow error, resulting in a denial of service only via manipulation the processed input stream. The attack uses the hash code implementation for collections and maps to force recursive hash calculation causing a stack overflow. This issue is patched in version 1.4.20 which handles the stack overflow and raises an InputManipulationException instead. A potential workaround for users who only use HashMap or HashSet and whose XML refers these only as default map or set, is to change the default implementation of java.util.Map and java.util per the code example in the referenced advisory. However, this implies that your application does not care about the implementation of the map and all elements are comparable.
Затронутые продукты
Ссылки
- CVE-2022-41966
- SUSE Bug 1206729