Bug 2324606 (CVE-2024-47072) - CVE-2024-47072 com.thoughtworks.xstream: XStream is vulnerable to a Denial of Service attack due to stack overflow from a manipulated binary input stream
Summary: CVE-2024-47072 com.thoughtworks.xstream: XStream is vulnerable to a Denial of...
Keywords:
Status: NEW
Alias: CVE-2024-47072
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2024-11-08 13:48 UTC by OSIDB Bzimport
Modified: 2025-03-17 23:44 UTC (History)
96 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2024:10214 0 None None None 2024-11-25 16:56:12 UTC
Red Hat Product Errata RHSA-2025:2218 0 None None None 2025-03-04 14:37:17 UTC
Red Hat Product Errata RHSA-2025:2219 0 None None None 2025-03-04 14:17:52 UTC
Red Hat Product Errata RHSA-2025:2220 0 None None None 2025-03-04 14:37:55 UTC
Red Hat Product Errata RHSA-2025:2221 0 None None None 2025-03-04 14:38:25 UTC
Red Hat Product Errata RHSA-2025:2222 0 None None None 2025-03-04 14:19:26 UTC
Red Hat Product Errata RHSA-2025:2223 0 None None None 2025-03-04 14:38:49 UTC

Description OSIDB Bzimport 2024-11-08 13:48:03 UTC 
XStream is a simple library to serialize objects to XML and back again. This vulnerability may allow a remote attacker to terminate the application with a stack overflow error resulting in a denial of service only by manipulating the processed input stream when XStream is configured to use the BinaryStreamDriver. XStream 1.4.21 has been patched to detect the manipulation in the binary input stream causing the the stack overflow and raises an InputManipulationException instead. Users are advised to upgrade. Users unable to upgrade may catch the StackOverflowError in the client code calling XStream if XStream is configured to use the BinaryStreamDriver.
Comment 1 errata-xmlrpc 2024-11-25 16:56:07 UTC 
This issue has been addressed in the following products:

  Red Hat Data Grid

Via RHSA-2024:10214 https://access.redhat.com/errata/RHSA-2024:10214
Comment 5 errata-xmlrpc 2025-03-04 14:17:47 UTC 
This issue has been addressed in the following products:

  OCP-Tools-4.16-RHEL-9

Via RHSA-2025:2219 https://access.redhat.com/errata/RHSA-2025:2219
Comment 6 errata-xmlrpc 2025-03-04 14:19:21 UTC 
This issue has been addressed in the following products:

  OCP-Tools-4.13-RHEL-8

Via RHSA-2025:2222 https://access.redhat.com/errata/RHSA-2025:2222
Comment 7 errata-xmlrpc 2025-03-04 14:37:11 UTC 
This issue has been addressed in the following products:

  OCP-Tools-4.17-RHEL-9

Via RHSA-2025:2218 https://access.redhat.com/errata/RHSA-2025:2218
Comment 8 errata-xmlrpc 2025-03-04 14:37:50 UTC 
This issue has been addressed in the following products:

  OCP-Tools-4.15-RHEL-8

Via RHSA-2025:2220 https://access.redhat.com/errata/RHSA-2025:2220
Comment 9 errata-xmlrpc 2025-03-04 14:38:19 UTC 
This issue has been addressed in the following products:

  OCP-Tools-4.14-RHEL-8

Via RHSA-2025:2221 https://access.redhat.com/errata/RHSA-2025:2221
Comment 10 errata-xmlrpc 2025-03-04 14:38:43 UTC 
This issue has been addressed in the following products:

  OCP-Tools-4.12-RHEL-8

Via RHSA-2025:2223 https://access.redhat.com/errata/RHSA-2025:2223
Note You need to log in before you can comment on or make changes to this bug.