Document CVE-2022-40151 and add a test case. Closes #314.

x-stream · Dec 29, 2022 · 5eba8cf · 5eba8cf
1 parent ae25463
commit 5eba8cf
Show file tree

Hide file tree

Showing 5 changed files with 93 additions and 2 deletions.
diff --git a/xstream-distribution/src/content/CVE-2022-40151.html b/xstream-distribution/src/content/CVE-2022-40151.html
@@ -0,0 +1,67 @@
+<html>
+<!--
+ Copyright (C) 2022 XStream committers.
+ All rights reserved.
+ 
+ The software in this package is published under the terms of the BSD
+ style license a copy of which has been included with this distribution in
+ the LICENSE.txt file.
+ 
+ Created on 26. November 2022 by Joerg Schaible
+ -->
+  <head>
+    <title>CVE-2022-40151</title>
+  </head>
+  <body>
+
+    <h2 id="vulnerability">Vulnerability</h2>
+
+    <p>CVE-2022-40151: XStream is vulnerable to a Denial of Service attack due to stack overflow.</p>
+
+    <h2 id="affected_versions">Affected Versions</h2>
+
+    <p>All versions until and including version 1.4.19 are affected, if using the version out of the box.</p>
+
+    <h2 id="description">Description</h2>
+
+    <p>The processed stream at unmarshalling time contains type information to recreate the formerly written objects.
+    XStream creates therefore new instances based on these type information.  An attacker can manipulate the processed
+    input stream and replace or inject objects, that result in a stack overflow due to deeply nested objects causing a
+    denial of service.</p>
+
+    <h2 id="reproduction">Steps to Reproduce</h2>
+
+    <p>Create a simple HashSet and use XStream to marshal it to XML.  Replace the XML with generated with the
+    following code snippet and unmarshal it with XStream:</p>
+<div class="Source Java"><pre>String xml = new String();
+        int i = 0;
+        for( ; i &lt 10000; ++i) {
+            xml += "<set>";
+        }
+        for( ; i > 0; --i) {
+            xml += "</set>";
+        }
+</pre></div>
+<div class="Source Java"><pre>XStream xstream = new XStream();
+xstream.fromXML(xml);
+</pre></div>
+
+    <p>As soon as the XML gets unmarshalled, the recursion is too deep and the executing thread is aborted with a stack
+    overflow error.</p>
+
+    <h2 id="impact">Impact</h2>
+
+    <p>The vulnerability may allow a remote attacker to terminate the application with a stack overflow error resulting
+    in a denial of service only by manipulating the processed input stream.</p>
+
+    <h2 id="workarounds">Workarounds</h2>
+
+	<p>The only solution is to catch the StackOverflowError in the client code calling XStream.</p>
+
+    <h2 id="credits">Credits</h2>
+
+    <p>Henry Lin of the Google OSS-Fuzz team found and reported the issue to XStream and provided the required
+    information to reproduce it.</p>
+
+      </body>
+ </html>
diff --git a/xstream-distribution/src/content/changes.html b/xstream-distribution/src/content/changes.html
@@ -106,8 +106,9 @@ <h1 id="upcoming-1.4.x">Upcoming 1.4.x maintenance release</h1>
 
 	<p>Not yet released.</p>
 
-	<p class="highlight">This maintenance release addresses the security vulnerability
-	<a href="CVE-2022-41966.html">CVE-2022-41966</a>, causing a Denial of Service by raising a stack overflow.</p>
+	<p class="highlight">This maintenance release addresses the security vulnerabilities
+	<a href="CVE-2022-40151.html">CVE-2022-40151</a> and <a href="CVE-2022-41966.html">CVE-2022-41966</a>, causing a
+	Denial of Service by raising a stack overflow.</p>
 
 	<h2>Major changes</h2>
 

diff --git a/xstream-distribution/src/content/security.html b/xstream-distribution/src/content/security.html
@@ -58,6 +58,10 @@ <h2 id="CVEs">Documented Vulnerabilities</h2>
         <td>XStream can cause a Denial of Service by injecting recursive collections or maps based on element's hash
         values raising a stack overflow.</td>
       </tr>
+      <tr>
+        <th><a href="CVE-2022-40151.html">CVE-2022-40151</a></th>
+        <td>XStream can cause a Denial of Service by injecting deeply nested objects raising a stack overflow.</td>
+      </tr>
       <tr>
         <th>Version 1.4.18</th>
         <td></td>

diff --git a/xstream-distribution/src/content/website.xml b/xstream-distribution/src/content/website.xml
@@ -64,6 +64,7 @@
     <section>
         <name>!Vulnerabilities</name>
         <page>CVE-2022-41966.html</page>
+        <page>CVE-2022-40151.html</page>
         <page>CVE-2021-21341.html</page>
         <page>CVE-2021-21342.html</page>
         <page>CVE-2021-21343.html</page>

diff --git a/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java b/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
@@ -425,4 +425,22 @@ public void testStackOverflowWithRecursiveHashSet() {
             assertTrue(e.getMessage().contains("Stack Overflow"));
         }
     }
+
+    public void testStackOverflowWithDeeplyNestedStructure() {
+        final StringBuffer xml = new StringBuffer();
+        int i = 0;
+        for( ; i < 10000; ++i) {
+            xml.append("<set>");
+        }
+        for( ; i > 0; --i) {
+            xml.append("</set>");
+        }
+
+        try {
+            xstream.fromXML(xml.toString());
+            fail("Thrown " + InputManipulationException.class.getName() + " expected");
+        } catch (final InputManipulationException e) {
+            assertTrue(e.getMessage().contains("Stack Overflow"));
+        }
+    }
 }