Web Application SecurityXStream.serializes.stack.overflow.Dos
Description
This indicates an attack attempt to exploit a Denial of Service Vulnerability in XStream.
The attack uses the hash code implementation for collections and maps to force recursive hash calculation causing a stack overflow. This issue is patched in version 1.4.20 which handles the stack overflow and raises an InputManipulationException instead. A potential workaround for users who only use HashMap or HashSet and whose XML refers these only as default map or set, is to change the default implementation of java.util.Map and java.util per the code example in the referenced advisory. However, this implies that your application does not care about the implementation of the map and all elements are comparable.
Affected Products
XStream Versions prior to 1.4.20
Impact
Denial of Service: Remote attackers can crash vulnerable systems.
Recommended Actions
Apply the most recent upgrade or patch from the vendor.
Version Updates
| Date | Version | Detail |
|---|---|---|
| 2023-04-14 | 0.00346 |
CVE References
CVE-2022-41966| ID | 1090501731 |
| Created | Apr 15, 2023 |
| Updated | Apr 15, 2023 |
| Risk |
|
| Default Action | pass |
| Active | |
| Affected OS | All |
| Affected App | XStream |
| Engine Version | 5.0.1 or later |