Bug 2170431 (CVE-2022-41966)

Summary: CVE-2022-41966 xstream: Denial of Service by injecting recursive collections or maps based on element's hash values raising a stack overflow
Product: [Other] Security Response Reporter: TEJ RATHI <trathi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: abenaiss, aileenc, alampare, alazarot, anstephe, aschwart, asoldano, ataylor, avibelli, bbaranow, bgeorges, bmaxwell, boliveir, brian.stansberry, ccranfor, cdewolf, chazlett, clement.escoffier, cmiranda, dandread, darran.lofthouse, dbruscin, dfreiber, dhanak, dkreling, dosoudil, drosa, drow, ellin, emingora, eric.wittmann, fjuma, fmariani, fmongiar, gjospin, gmalinko, gsmet, hamadhan, hbraun, ibek, istudens, ivassile, iweiss, janstey, jburrell, jcantril, jmartisk, jnethert, jpavlik, jpechane, jpoth, jrokos, jross, kvanderr, kverlaen, lbacciot, lgao, lthon, manderse, max.andersen, mizdebsk, mnovotny, mokumar, mosmerov, mposolda, msochure, msvehla, nipatil, nwallace, olubyans, pantinor, pcongius, pdelbell, pdrozd, peholase, periklis, pesilva, pgallagh, pjindal, pmackay, probinso, pskopek, rguimara, rjohnson, rkieley, rkubis, rogbas, rojacob, rrajasek, rruss, rstancel, rstepani, rsvoboda, sausingh, sbiarozk, scorneli, sdouglas, shbose, smaestri, ssilvert, sthorger, tcunning, tom.jenkinson, tqvarnst, vkumar, vmuzikar, yfang
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: xstream 1.4.20 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the xstream package. This flaw allows an attacker to cause a denial of service by injecting recursive collections or maps, raising a stack overflow.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2023-03-16 13:29:37 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2170626, 2170627, 2170744    
Bug Blocks: 2170432    

Description TEJ RATHI 2023-02-16 11:11:59 UTC 
XStream serializes Java objects to XML and back again. Versions prior to 1.4.20 may allow a remote attacker to terminate the application with a stack overflow error, resulting in a denial of service only via manipulation the processed input stream. The attack uses the hash code implementation for collections and maps to force recursive hash calculation causing a stack overflow. This issue is patched in version 1.4.20 which handles the stack overflow and raises an InputManipulationException instead. A potential workaround for users who only use HashMap or HashSet and whose XML refers these only as default map or set, is to change the default implementation of java.util.Map and java.util per the code example in the referenced advisory. However, this implies that your application does not care about the implementation of the map and all elements are comparable.

https://x-stream.github.io/CVE-2022-41966.html
https://github.com/x-stream/xstream/security/advisories/GHSA-j563-grx4-pjpv
Comment 1 Anten Skrabec 2023-02-16 20:16:42 UTC 
Created xstream tracking bugs for this issue:

Affects: epel-all [bug 2170627]
Affects: fedora-all [bug 2170626]
Comment 10 errata-xmlrpc 2023-03-08 14:55:23 UTC 
This issue has been addressed in the following products:

  Red Hat build of Quarkus 2.7.7

Via RHSA-2023:1006 https://access.redhat.com/errata/RHSA-2023:1006
Comment 11 errata-xmlrpc 2023-03-09 10:47:06 UTC 
This issue has been addressed in the following products:

  RHINT Camel-Q 2.7-1

Via RHSA-2023:1177 https://access.redhat.com/errata/RHSA-2023:1177
Comment 13 errata-xmlrpc 2023-03-16 09:31:28 UTC 
This issue has been addressed in the following products:

  Migration Toolkit for Runtimes 1 on RHEL 8

Via RHSA-2023:1286 https://access.redhat.com/errata/RHSA-2023:1286
Comment 14 Product Security DevOps Team 2023-03-16 13:29:32 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-41966
Comment 15 errata-xmlrpc 2023-04-27 00:48:58 UTC 
This issue has been addressed in the following products:

  MTA-6.1-RHEL-8

Via RHSA-2023:2041 https://access.redhat.com/errata/RHSA-2023:2041
Comment 16 errata-xmlrpc 2023-05-03 14:06:52 UTC 
This issue has been addressed in the following products:

  RHINT Camel-Springboot 3.20.1

Via RHSA-2023:2100 https://access.redhat.com/errata/RHSA-2023:2100
Comment 17 errata-xmlrpc 2023-06-19 10:13:05 UTC 
This issue has been addressed in the following products:

  OpenShift Developer Tools and Services for OCP 4.11

Via RHSA-2023:3663 https://access.redhat.com/errata/RHSA-2023:3663
Comment 18 errata-xmlrpc 2023-06-23 17:41:12 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.10

Via RHSA-2023:3625 https://access.redhat.com/errata/RHSA-2023:3625
Comment 21 errata-xmlrpc 2023-06-29 20:08:17 UTC 
This issue has been addressed in the following products:

  Red Hat Fuse 7.12

Via RHSA-2023:3954 https://access.redhat.com/errata/RHSA-2023:3954
Comment 24 errata-xmlrpc 2024-03-18 09:48:26 UTC 
This issue has been addressed in the following products:

  RHPAM 7.13.5 async

Via RHSA-2024:1353 https://access.redhat.com/errata/RHSA-2024:1353