{ "threat_severity" : "Important", "public_date" : "2024-11-07T23:38:52Z", "bugzilla" : { "description" : "com.thoughtworks.xstream: XStream is vulnerable to a Denial of Service attack due to stack overflow from a manipulated binary input stream", "id" : "2324606", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2324606" }, "cvss3" : { "cvss3_base_score" : "7.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status" : "verified" }, "cwe" : "(CWE-121|CWE-502)", "details" : [ "XStream is a simple library to serialize objects to XML and back again. This vulnerability may allow a remote attacker to terminate the application with a stack overflow error resulting in a denial of service only by manipulating the processed input stream when XStream is configured to use the BinaryStreamDriver. XStream 1.4.21 has been patched to detect the manipulation in the binary input stream causing the the stack overflow and raises an InputManipulationException instead. Users are advised to upgrade. Users unable to upgrade may catch the StackOverflowError in the client code calling XStream if XStream is configured to use the BinaryStreamDriver.", "A flaw was found in the XStream library. A remote attacker may trigger a denial of service by manipulating the processed input stream when XStream is configured to use the BinaryStreamDriver. This issue may lead to the termination of the application." ], "statement" : "This vulnerability in XStream is considered an Important severity rather than Moderate because it exposes applications to a denial of service (DoS) attack with relative ease. By exploiting the flaw in the `BinaryStreamDriver`, an attacker can manipulate the binary input stream to trigger a stack overflow, which terminates the application unexpectedly. Unlike moderate vulnerabilities, which may require specific conditions or limited privileges, this flaw enables remote attackers to forcefully terminate services by crafting malicious input, impacting system availability. Additionally, the vulnerability’s reliance on a common serialization mechanism elevates the risk, as it may affect applications across various environments and industries where XStream is deployed.", "affected_release" : [ { "product_name" : "OCP-Tools-4.12-RHEL-8", "release_date" : "2025-03-04T00:00:00Z", "advisory" : "RHSA-2025:2223", "cpe" : "cpe:/a:redhat:ocp_tools:4.12::el8", "package" : "jenkins-0:2.479.3.1740464431-3.el8" }, { "product_name" : "OCP-Tools-4.12-RHEL-8", "release_date" : "2025-03-04T00:00:00Z", "advisory" : "RHSA-2025:2223", "cpe" : "cpe:/a:redhat:ocp_tools:4.12::el8", "package" : "jenkins-2-plugins-0:4.12.1740464689-1.el8" }, { "product_name" : "OCP-Tools-4.13-RHEL-8", "release_date" : "2025-03-04T00:00:00Z", "advisory" : "RHSA-2025:2222", "cpe" : "cpe:/a:redhat:ocp_tools:4.13::el8", "package" : "jenkins-0:2.479.3.1740464433-3.el8" }, { "product_name" : "OCP-Tools-4.13-RHEL-8", "release_date" : "2025-03-04T00:00:00Z", "advisory" : "RHSA-2025:2222", "cpe" : "cpe:/a:redhat:ocp_tools:4.13::el8", "package" : "jenkins-2-plugins-0:4.13.1740464698-1.el8" }, { "product_name" : "OCP-Tools-4.14-RHEL-8", "release_date" : "2025-03-04T00:00:00Z", "advisory" : "RHSA-2025:2221", "cpe" : "cpe:/a:redhat:ocp_tools:4.14::el8", "package" : "jenkins-0:2.479.3.1740109575-3.el8" }, { "product_name" : "OCP-Tools-4.14-RHEL-8", "release_date" : "2025-03-04T00:00:00Z", "advisory" : "RHSA-2025:2221", "cpe" : "cpe:/a:redhat:ocp_tools:4.14::el8", "package" : "jenkins-2-plugins-0:4.14.1740109868-1.el8" }, { "product_name" : "OCP-Tools-4.15-RHEL-8", "release_date" : "2025-03-04T00:00:00Z", "advisory" : "RHSA-2025:2220", "cpe" : "cpe:/a:redhat:ocp_tools:4.15::el8", "package" : "jenkins-0:2.479.3.1740051993-3.el8" }, { "product_name" : "OCP-Tools-4.15-RHEL-8", "release_date" : "2025-03-04T00:00:00Z", "advisory" : "RHSA-2025:2220", "cpe" : "cpe:/a:redhat:ocp_tools:4.15::el8", "package" : "jenkins-2-plugins-0:4.15.1740052174-1.el8" }, { "product_name" : "OCP-Tools-4.16-RHEL-9", "release_date" : "2025-03-04T00:00:00Z", "advisory" : "RHSA-2025:2219", "cpe" : "cpe:/a:redhat:ocp_tools:4.16::el9", "package" : "jenkins-0:2.479.3.1739896390-3.el9" }, { "product_name" : "OCP-Tools-4.16-RHEL-9", "release_date" : "2025-03-04T00:00:00Z", "advisory" : "RHSA-2025:2219", "cpe" : "cpe:/a:redhat:ocp_tools:4.16::el9", "package" : "jenkins-2-plugins-0:4.16.1739896683-1.el9" }, { "product_name" : "OCP-Tools-4.17-RHEL-9", "release_date" : "2025-03-04T00:00:00Z", "advisory" : "RHSA-2025:2218", "cpe" : "cpe:/a:redhat:ocp_tools:4.17::el9", "package" : "jenkins-0:2.479.3.1739859586-3.el9" }, { "product_name" : "OCP-Tools-4.17-RHEL-9", "release_date" : "2025-03-04T00:00:00Z", "advisory" : "RHSA-2025:2218", "cpe" : "cpe:/a:redhat:ocp_tools:4.17::el9", "package" : "jenkins-2-plugins-0:4.17.1739859908-1.el9" }, { "product_name" : "Red Hat Build of Keycloak", "release_date" : "2025-03-10T00:00:00Z", "advisory" : "RHSA-2025:2545", "cpe" : "cpe:/a:redhat:build_keycloak:26" }, { "product_name" : "Red Hat build of Keycloak 26", "release_date" : "2025-06-09T00:00:00Z", "advisory" : "RHSA-2025:8690", "cpe" : "cpe:/a:redhat:build_keycloak:26" }, { "product_name" : "Red Hat build of Keycloak 26.2", "release_date" : "2025-06-09T00:00:00Z", "advisory" : "RHSA-2025:8672", "cpe" : "cpe:/a:redhat:build_keycloak:26.2::el9", "package" : "rhbk/keycloak-operator-bundle:26.2.5-1" }, { "product_name" : "Red Hat build of Keycloak 26.2", "release_date" : "2025-06-09T00:00:00Z", "advisory" : "RHSA-2025:8672", "cpe" : "cpe:/a:redhat:build_keycloak:26.2::el9", "package" : "rhbk/keycloak-rhel9:26.2-4" }, { "product_name" : "Red Hat build of Keycloak 26.2", "release_date" : "2025-06-09T00:00:00Z", "advisory" : "RHSA-2025:8672", "cpe" : "cpe:/a:redhat:build_keycloak:26.2::el9", "package" : "rhbk/keycloak-rhel9-operator:26.2-4" }, { "product_name" : "Red Hat Data Grid", "release_date" : "2024-11-25T00:00:00Z", "advisory" : "RHSA-2024:10214", "cpe" : "cpe:/a:redhat:jboss_data_grid:8", "package" : "com.thoughtworks.xstream/xstream" } ], "package_state" : [ { "product_name" : "A-MQ Clients 2", "fix_state" : "Not affected", "package_name" : "com.thoughtworks.xstream/xstream", "cpe" : "cpe:/a:redhat:a_mq_clients:2" }, { "product_name" : "Cryostat 3", "fix_state" : "Affected", "package_name" : "com.thoughtworks.xstream/xstream", "cpe" : "cpe:/a:redhat:cryostat:3" }, { "product_name" : "Logging Subsystem for Red Hat OpenShift", "fix_state" : "Not affected", "package_name" : "com.thoughtworks.xstream/xstream", "cpe" : "cpe:/a:redhat:logging:5" }, { "product_name" : "Red Hat AMQ Clients", "fix_state" : "Affected", "package_name" : "com.thoughtworks.xstream/xstream", "cpe" : "cpe:/a:redhat:amq_clients:2023" }, { "product_name" : "Red Hat build of Apache Camel 4 for Quarkus 3", "fix_state" : "Not affected", "package_name" : "com.thoughtworks.xstream/xstream", "cpe" : "cpe:/a:redhat:camel_quarkus:3" }, { "product_name" : "Red Hat build of Apache Camel for Spring Boot 3", "fix_state" : "Will not fix", "package_name" : "com.thoughtworks.xstream/xstream", "cpe" : "cpe:/a:redhat:camel_spring_boot:3" }, { "product_name" : "Red Hat build of Apache Camel - HawtIO 4", "fix_state" : "Not affected", "package_name" : "com.thoughtworks.xstream/xstream", "cpe" : "cpe:/a:redhat:apache_camel_hawtio:4" }, { "product_name" : "Red Hat build of Apicurio Registry 2", "fix_state" : "Not affected", "package_name" : "com.thoughtworks.xstream/xstream", "cpe" : "cpe:/a:redhat:service_registry:2" }, { "product_name" : "Red Hat build of Debezium 2", "fix_state" : "Will not fix", "package_name" : "com.thoughtworks.xstream/xstream", "cpe" : "cpe:/a:redhat:debezium:2" }, { "product_name" : "Red Hat build of OptaPlanner 8", "fix_state" : "Will not fix", "package_name" : "com.thoughtworks.xstream/xstream", "cpe" : "cpe:/a:redhat:optaplanner:::el6" }, { "product_name" : "Red Hat build of Quarkus", "fix_state" : "Will not fix", "package_name" : "com.thoughtworks.xstream/xstream", "cpe" : "cpe:/a:redhat:quarkus:3" }, { "product_name" : "Red Hat build of Quarkus Native builder", "fix_state" : "Not affected", "package_name" : "com.thoughtworks.xstream/xstream", "cpe" : "cpe:/a:redhat:quarkus:3" }, { "product_name" : "Red Hat Fuse 7", "fix_state" : "Will not fix", "package_name" : "com.thoughtworks.xstream/xstream", "cpe" : "cpe:/a:redhat:jboss_fuse:7" }, { "product_name" : "Red Hat Integration Camel K 1", "fix_state" : "Will not fix", "package_name" : "com.thoughtworks.xstream/xstream", "cpe" : "cpe:/a:redhat:integration:1" }, { "product_name" : "Red Hat JBoss Data Grid 7", "fix_state" : "Not affected", "package_name" : "com.thoughtworks.xstream/xstream", "cpe" : "cpe:/a:redhat:jboss_data_grid:7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7", "fix_state" : "Not affected", "package_name" : "xstream", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 8", "fix_state" : "Not affected", "package_name" : "xstream", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform Expansion Pack", "fix_state" : "Not affected", "package_name" : "xstream", "cpe" : "cpe:/a:redhat:jbosseapxp" }, { "product_name" : "Red Hat Process Automation 7", "fix_state" : "Not affected", "package_name" : "com.thoughtworks.xstream/xstream", "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform:7" }, { "product_name" : "Red Hat Single Sign-On 7", "fix_state" : "Not affected", "package_name" : "com.thoughtworks.xstream/xstream", "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7" }, { "product_name" : "streams for Apache Kafka", "fix_state" : "Will not fix", "package_name" : "com.thoughtworks.xstream/xstream", "cpe" : "cpe:/a:redhat:amq_streams:1" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-47072\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-47072\nhttps://github.com/x-stream/xstream/commit/bb838ce2269cac47433e31c77b2b236466e9f266\nhttps://github.com/x-stream/xstream/security/advisories/GHSA-hfq9-hggm-c56q\nhttps://x-stream.github.io/CVE-2024-47072.html" ], "name" : "CVE-2024-47072", "mitigation" : { "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", "lang" : "en:us" }, "csaw" : false }