Service Notices

All Notices > Security Notices > XStream DoS Vulnerability (CVE-2022-41966)

XStream DoS Vulnerability (CVE-2022-41966)

Dec 30, 2022 GMT+08:00

I. Overview

Recently, XStream officially released a security notice, disclosing a high-risk DoS vulnerability (CVE-2022-41966) in versions earlier than 1.4.20. The vulnerability may allow a remote attacker to terminate the application with a stack overflow error resulting in a denial of service only by manipulating the processed input stream. Currently, the details and POC of this vulnerability have been disclosed and the risk is high.

XStream is a Java class library used to serialize objects to XML (JSON) and back again. If you are an XStream user, check your XStream version and implement timely security hardening.


II. Severity

Severity: important

(Severity: low, moderate, important, and critical)

III. Affected Products

Affected versions:

XStream < 1.4.20

Secure versions:

XStream >=1.4.20

IV. Vulnerability Handling

This vulnerability has been fixed in later official versions. If your service version falls into the affected range, upgrade it to a latest secure version.

If you cannot perform the upgrade in a timely manner, refer to the suggestions provided by the XStream official website to mitigate the problem.

HUAWEI CLOUD WAF can defend against these vulnerabilities. If you are a WAF user, set the basic web protection status to Block. For details, see Enabling Basic Web Protection.

Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.