CVE-2022-41966 - OpenCVE

XStream serializes Java objects to XML and back again. Versions prior to 1.4.20 may allow a remote attacker to terminate the application with a stack overflow error, resulting in a denial of service only via manipulation the processed input stream. The attack uses the hash code implementation for collections and maps to force recursive hash calculation causing a stack overflow. This issue is patched in version 1.4.20 which handles the stack overflow and raises an InputManipulationException instead. A potential workaround for users who only use HashMap or HashSet and whose XML refers these only as default map or set, is to change the default implementation of java.util.Map and java.util per the code example in the referenced advisory. However, this implies that your application does not care about the implementation of the map and all elements are comparable.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Xstream Project	Xstream

Configuration 1 [-]

cpe:2.3:a:xstream_project:xstream:*:*:*:*:*:*:*:*

References

Link	Resource
https://github.com/x-stream/xstream/security/advisories/GHSA-j563-grx4-pjpv	Mitigation Third Party Advisory
https://x-stream.github.io/CVE-2022-41966.html	Exploit Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: GitHub_M

Published: 2022-12-27T23:07:54.048Z

Updated:

Reserved: 2022-09-30T16:38:28.949Z

Link: CVE-2022-41966

JSON object: View

NVD Information

Status : Analyzed

Published: 2022-12-28T00:15:14.237

Modified: 2023-06-27T14:04:14.103

Link: CVE-2022-41966

JSON object: View

Redhat Information

No data.

CWE

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2022-41966", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2022-09-30T16:38:28.949Z", "datePublished": "2022-12-27T23:07:54.048Z"}, "containers": {"cna": {"title": "XStream Denial of Service via stack overflow ", "problemTypes": [{"descriptions": [{"cweId": "CWE-120", "lang": "en", "description": "CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-121", "lang": "en", "description": "CWE-121: Stack-based Buffer Overflow", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-502", "lang": "en", "description": "CWE-502: Deserialization of Untrusted Data", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/x-stream/xstream/security/advisories/GHSA-j563-grx4-pjpv", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/x-stream/xstream/security/advisories/GHSA-j563-grx4-pjpv"}, {"name": "https://x-stream.github.io/CVE-2022-41966.html", "tags": ["x_refsource_MISC"], "url": "https://x-stream.github.io/CVE-2022-41966.html"}], "affected": [{"vendor": "x-stream", "product": "xstream", "versions": [{"version": "< 1.4.20", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2022-12-27T23:07:54.048Z"}, "descriptions": [{"lang": "en", "value": "XStream serializes Java objects to XML and back again. Versions prior to 1.4.20 may allow a remote attacker to terminate the application with a stack overflow error, resulting in a denial of service only via manipulation the processed input stream. The attack uses the hash code implementation for collections and maps to force recursive hash calculation causing a stack overflow. This issue is patched in version 1.4.20 which handles the stack overflow and raises an InputManipulationException instead. A potential workaround for users who only use HashMap or HashSet and whose XML refers these only as default map or set, is to change the default implementation of java.util.Map and java.util per the code example in the referenced advisory. However, this implies that your application does not care about the implementation of the map and all elements are comparable."}], "source": {"advisory": "GHSA-j563-grx4-pjpv", "discovery": "UNKNOWN"}}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:xstream_project:xstream:*:*:*:*:*:*:*:*", "matchCriteriaId": "3E8AFB6E-9DE2-448A-B1EC-16114B6D43F9", "versionEndExcluding": "1.4.20", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "XStream serializes Java objects to XML and back again. Versions prior to 1.4.20 may allow a remote attacker to terminate the application with a stack overflow error, resulting in a denial of service only via manipulation the processed input stream. The attack uses the hash code implementation for collections and maps to force recursive hash calculation causing a stack overflow. This issue is patched in version 1.4.20 which handles the stack overflow and raises an InputManipulationException instead. A potential workaround for users who only use HashMap or HashSet and whose XML refers these only as default map or set, is to change the default implementation of java.util.Map and java.util per the code example in the referenced advisory. However, this implies that your application does not care about the implementation of the map and all elements are comparable."}, {"lang": "es", "value": "XStream serializa objetos Java a XML y viceversa. Las versiones anteriores a la 1.4.20 pueden permitir que un atacante remoto finalice la aplicaci\u00f3n con un error de desbordamiento de pila, lo que resulta en una denegaci\u00f3n de servicio \u00fanicamente mediante la manipulaci\u00f3n del flujo de entrada procesado. El ataque utiliza la implementaci\u00f3n del c\u00f3digo hash para colecciones y mapas para forzar el c\u00e1lculo hash recursivo provocando un desbordamiento de la pila. Este problema se solucion\u00f3 en la versi\u00f3n 1.4.20, que maneja el desbordamiento de la pila y genera una excepci\u00f3n InputManipulationException. Una posible soluci\u00f3n para los usuarios que solo usan HashMap o HashSet y cuyo XML los refiere solo como mapa o conjunto predeterminado, es cambiar la implementaci\u00f3n predeterminada de java.util.Map y java.util seg\u00fan el ejemplo de c\u00f3digo en el aviso al que se hace referencia. Sin embargo, esto implica que a su aplicaci\u00f3n no le importa la implementaci\u00f3n del mapa y todos los elementos son comparables."}], "id": "CVE-2022-41966", "lastModified": "2023-06-27T14:04:14.103", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2022-12-28T00:15:14.237", "references": [{"source": "security-advisories@github.com", "tags": ["Mitigation", "Third Party Advisory"], "url": "https://github.com/x-stream/xstream/security/advisories/GHSA-j563-grx4-pjpv"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://x-stream.github.io/CVE-2022-41966.html"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-674"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-120"}, {"lang": "en", "value": "CWE-121"}, {"lang": "en", "value": "CWE-502"}], "source": "security-advisories@github.com", "type": "Secondary"}]}