diff --git a/xstream-distribution/src/content/CVE-2022-40151.html b/xstream-distribution/src/content/CVE-2022-40151.html new file mode 100644 index 000000000..5fd80e5b6 --- /dev/null +++ b/xstream-distribution/src/content/CVE-2022-40151.html @@ -0,0 +1,67 @@ + + +
+CVE-2022-40151: XStream is vulnerable to a Denial of Service attack due to stack overflow.
+ +All versions until and including version 1.4.19 are affected, if using the version out of the box.
+ +The processed stream at unmarshalling time contains type information to recreate the formerly written objects. + XStream creates therefore new instances based on these type information. An attacker can manipulate the processed + input stream and replace or inject objects, that result in a stack overflow due to deeply nested objects causing a + denial of service.
+ +Create a simple HashSet and use XStream to marshal it to XML. Replace the XML with generated with the + following code snippet and unmarshal it with XStream:
+String xml = new String(); + int i = 0; + for( ; i < 10000; ++i) { + xml += ""; + } + for( ; i > 0; --i) { + xml += " "; + } +
XStream xstream = new XStream(); +xstream.fromXML(xml); +
As soon as the XML gets unmarshalled, the recursion is too deep and the executing thread is aborted with a stack + overflow error.
+ +The vulnerability may allow a remote attacker to terminate the application with a stack overflow error resulting + in a denial of service only by manipulating the processed input stream.
+ +The only solution is to catch the StackOverflowError in the client code calling XStream.
+ +Henry Lin of the Google OSS-Fuzz team found and reported the issue to XStream and provided the required + information to reproduce it.
+ + + diff --git a/xstream-distribution/src/content/changes.html b/xstream-distribution/src/content/changes.html index 84d606ba8..39c99b27a 100644 --- a/xstream-distribution/src/content/changes.html +++ b/xstream-distribution/src/content/changes.html @@ -33,8 +33,9 @@Not yet released.
-This maintenance release addresses the security vulnerability - CVE-2022-41966, causing a Denial of Service by raising a stack overflow.
+This maintenance release addresses the security vulnerabilities + CVE-2022-40151 and CVE-2022-41966, causing a + Denial of Service by raising a stack overflow.