Buffer Overflow Affecting xstream package, versions <0:1.3.1-16.amzn2.0.1


Severity

Recommended
0.0
high
0
10

Based on Amazon Linux security rating.

Threat Intelligence

EPSS
0.8% (82nd percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-AMZN2-XSTREAM-5411319
  • published5 Apr 2023
  • disclosed28 Dec 2022

Introduced: 28 Dec 2022

CVE-2022-41966  (opens in a new tab)
CWE-120  (opens in a new tab)
CWE-121  (opens in a new tab)
CWE-502  (opens in a new tab)

How to fix?

Upgrade Amazon-Linux:2 xstream to version 0:1.3.1-16.amzn2.0.1 or higher.
This issue was patched in ALAS2-2023-2007.

NVD Description

Note: Versions mentioned in the description apply only to the upstream xstream package and not the xstream package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

XStream serializes Java objects to XML and back again. Versions prior to 1.4.20 may allow a remote attacker to terminate the application with a stack overflow error, resulting in a denial of service only via manipulation the processed input stream. The attack uses the hash code implementation for collections and maps to force recursive hash calculation causing a stack overflow. This issue is patched in version 1.4.20 which handles the stack overflow and raises an InputManipulationException instead. A potential workaround for users who only use HashMap or HashSet and whose XML refers these only as default map or set, is to change the default implementation of java.util.Map and java.util per the code example in the referenced advisory. However, this implies that your application does not care about the implementation of the map and all elements are comparable.

CVSS Scores

version 3.1