XStream DoS Vulnerability (CVE-2022-41966)

Dec 30, 2022 GMT+08:00

I. Overview

Recently, XStream officially released a security notice, disclosing a high-risk DoS vulnerability (CVE-2022-41966) in versions earlier than 1.4.20. The vulnerability may allow a remote attacker to terminate the application with a stack overflow error resulting in a denial of service only by manipulating the processed input stream. Currently, the details and POC of this vulnerability have been disclosed and the risk is high.

XStream is a Java class library used to serialize objects to XML (JSON) and back again. If you are an XStream user, check your XStream version and implement timely security hardening.

References:

https://x-stream.github.io/CVE-2022-41966.html

https://github.com/x-stream/xstream/security/advisories/GHSA-j563-grx4-pjpv

II. Severity

Severity: important

(Severity: low, moderate, important, and critical)

III. Affected Products

Affected versions:

XStream < 1.4.20

Secure versions:

XStream >=1.4.20

IV. Vulnerability Handling

This vulnerability has been fixed in later official versions. If your service version falls into the affected range, upgrade it to a latest secure version.

http://x-stream.github.io/download.html

If you cannot perform the upgrade in a timely manner, refer to the suggestions provided by the XStream official website to mitigate the problem.

https://github.com/x-stream/xstream/security/advisories/GHSA-j563-grx4-pjpv

HUAWEI CLOUD WAF can defend against these vulnerabilities. If you are a WAF user, set the basic web protection status to Block. For details, see Enabling Basic Web Protection.

Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.