{ "threat_severity" : "Important", "public_date" : "2022-12-28T00:00:00Z", "bugzilla" : { "description" : "xstream: Denial of Service by injecting recursive collections or maps based on element's hash values raising a stack overflow", "id" : "2170431", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2170431" }, "cvss3" : { "cvss3_base_score" : "7.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status" : "verified" }, "cwe" : "CWE-770", "details" : [ "XStream serializes Java objects to XML and back again. Versions prior to 1.4.20 may allow a remote attacker to terminate the application with a stack overflow error, resulting in a denial of service only via manipulation the processed input stream. The attack uses the hash code implementation for collections and maps to force recursive hash calculation causing a stack overflow. This issue is patched in version 1.4.20 which handles the stack overflow and raises an InputManipulationException instead. A potential workaround for users who only use HashMap or HashSet and whose XML refers these only as default map or set, is to change the default implementation of java.util.Map and java.util per the code example in the referenced advisory. However, this implies that your application does not care about the implementation of the map and all elements are comparable.", "A flaw was found in the xstream package. This flaw allows an attacker to cause a denial of service by injecting recursive collections or maps, raising a stack overflow." ], "statement" : "Red Hat Fuse 7 ships an affected version of XStream. No endpoint in any flavor of Fuse is accepting by default an unverified input stream passed directly to XStream unmarshaller. Documentation always recommend all the endpoints (TCP/UDP/HTTP(S)/other listeners) to have at least one layer of authentication/authorization and Fuse in general itself in particular has a lot of mechanisms to protect the endpoints.\nRed Hat Single Sign-On contains XStream as a transitive dependency from Infinispan and the same is not affected as NO_REFERENCE is in use.", "affected_release" : [ { "product_name" : "Migration Toolkit for Runtimes 1 on RHEL 8", "release_date" : "2023-03-16T00:00:00Z", "advisory" : "RHSA-2023:1286", "cpe" : "cpe:/a:redhat:migration_toolkit_runtimes:1.0::el8", "package" : "mtr/mtr-web-container-rhel8:1.0-22" }, { "product_name" : "MTA-6.1-RHEL-8", "release_date" : "2023-04-27T00:00:00Z", "advisory" : "RHSA-2023:2041", "cpe" : "cpe:/a:redhat:migration_toolkit_applications:6.1::el8", "package" : "mta/mta-windup-addon-rhel8:6.1.0-11" }, { "product_name" : "OpenShift Developer Tools and Services for OCP 4.11", "release_date" : "2023-06-19T00:00:00Z", "advisory" : "RHSA-2023:3663", "cpe" : "cpe:/a:redhat:ocp_tools:4.11::el8", "package" : "jenkins-0:2.401.1.1686831596-3.el8" }, { "product_name" : "Red Hat build of Quarkus 2.7.7", "release_date" : "2023-03-08T00:00:00Z", "advisory" : "RHSA-2023:1006", "cpe" : "cpe:/a:redhat:quarkus:2.7", "package" : "com.thoughtworks.xstream/xstream" }, { "product_name" : "Red Hat Fuse 7.12", "release_date" : "2023-06-29T00:00:00Z", "advisory" : "RHSA-2023:3954", "cpe" : "cpe:/a:redhat:jboss_fuse:7", "package" : "xstream", "impact" : "moderate" }, { "product_name" : "Red Hat OpenShift Container Platform 4.10", "release_date" : "2023-06-23T00:00:00Z", "advisory" : "RHSA-2023:3625", "cpe" : "cpe:/a:redhat:openshift:4.10::el8", "package" : "jenkins-0:2.401.1.1685677065-1.el8" }, { "product_name" : "RHINT Camel-Q 2.7-1", "release_date" : "2023-03-09T00:00:00Z", "advisory" : "RHSA-2023:1177", "cpe" : "cpe:/a:redhat:camel_quarkus:2.7" }, { "product_name" : "RHINT Camel-Springboot 3.20.1", "release_date" : "2023-05-03T00:00:00Z", "advisory" : "RHSA-2023:2100", "cpe" : "cpe:/a:redhat:camel_spring_boot:3.20.1", "package" : "xstream" }, { "product_name" : "RHPAM 7.13.5 async", "release_date" : "2024-03-18T00:00:00Z", "advisory" : "RHSA-2024:1353", "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform:7.13", "package" : "xstream" } ], "package_state" : [ { "product_name" : "A-MQ Clients 2", "fix_state" : "Not affected", "package_name" : "xstream", "cpe" : "cpe:/a:redhat:a_mq_clients:2" }, { "product_name" : "Logging Subsystem for Red Hat OpenShift", "fix_state" : "Not affected", "package_name" : "openshift-logging/elasticsearch6-rhel8", "cpe" : "cpe:/a:redhat:logging:5" }, { "product_name" : "Red Hat AMQ Broker 7", "fix_state" : "Not affected", "package_name" : "xstream", "cpe" : "cpe:/a:redhat:amq_broker:7" }, { "product_name" : "Red Hat build of Apicurio Registry 2", "fix_state" : "Affected", "package_name" : "xstream", "cpe" : "cpe:/a:redhat:service_registry:2" }, { "product_name" : "Red Hat build of Debezium 1", "fix_state" : "Not affected", "package_name" : "xstream", "cpe" : "cpe:/a:redhat:integration:1" }, { "product_name" : "Red Hat Data Grid 8", "fix_state" : "Affected", "package_name" : "xstream", "cpe" : "cpe:/a:redhat:jboss_data_grid:8" }, { "product_name" : "Red Hat Decision Manager 7", "fix_state" : "Affected", "package_name" : "xstream", "cpe" : "cpe:/a:redhat:jboss_enterprise_brms_platform:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "xstream", "cpe" : "cpe:/o:redhat:enterprise_linux:7", "impact" : "moderate" }, { "product_name" : "Red Hat Integration Camel K 1", "fix_state" : "Affected", "package_name" : "xstream", "cpe" : "cpe:/a:redhat:integration:1" }, { "product_name" : "Red Hat Integration Camel Quarkus 1", "fix_state" : "Affected", "package_name" : "xstream", "cpe" : "cpe:/a:redhat:camel_quarkus:2" }, { "product_name" : "Red Hat JBoss Data Grid 7", "fix_state" : "Out of support scope", "package_name" : "xstream", "cpe" : "cpe:/a:redhat:jboss_data_grid:7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 6", "fix_state" : "Out of support scope", "package_name" : "keycloak-adapter-eap6", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:6" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 6", "fix_state" : "Out of support scope", "package_name" : "keycloak-adapter-sso7_2-eap6", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:6" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 6", "fix_state" : "Out of support scope", "package_name" : "keycloak-adapter-sso7_3-eap6", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:6" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 6", "fix_state" : "Out of support scope", "package_name" : "xstream", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:6" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7", "fix_state" : "Not affected", "package_name" : "xstream", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform Expansion Pack", "fix_state" : "Not affected", "package_name" : "xstream", "cpe" : "cpe:/a:redhat:jbosseapxp" }, { "product_name" : "Red Hat JBoss Fuse 6", "fix_state" : "Out of support scope", "package_name" : "xstream", "cpe" : "cpe:/a:redhat:jboss_fuse:6" }, { "product_name" : "Red Hat JBoss Fuse Service Works 6", "fix_state" : "Out of support scope", "package_name" : "xstream", "cpe" : "cpe:/a:redhat:jboss_fuse_service_works:6" }, { "product_name" : "Red Hat OpenShift Application Runtimes", "fix_state" : "Not affected", "package_name" : "xstream", "cpe" : "cpe:/a:redhat:openshift_application_runtimes:1.0" }, { "product_name" : "Red Hat OpenShift Container Platform 3.11", "fix_state" : "Affected", "package_name" : "jenkins", "cpe" : "cpe:/a:redhat:openshift:3.11" }, { "product_name" : "Red Hat Single Sign-On 7", "fix_state" : "Not affected", "package_name" : "rh-sso7-keycloak", "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2022-41966\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-41966\nhttps://github.com/x-stream/xstream/security/advisories/GHSA-j563-grx4-pjpv" ], "name" : "CVE-2022-41966", "csaw" : false }