Summary: A critical denial-of-service (DoS) vulnerability, CVE-2024-47072, has been discovered in the XStream Java library, affecting all versions up to 1.4.20. Exploitation of this flaw can lead to application crashes due to stack overflow errors caused by improper handling of string value IDs during deserialization.
Threat Actor: Malicious actors | malicious actors
Victim: Users of XStream | XStream
Key Point :
- The vulnerability allows attackers to induce an endless recursion loop, leading to application crashes.
- Immediate upgrade to XStream version 1.4.21 is recommended to patch the vulnerability.
- A temporary workaround involves implementing error handling to manage StackOverflowError, but it does not replace the need for an upgrade.
A high-severity denial-of-service (DoS) vulnerability has been identified in XStream, a popular Java library used for object serialization. This vulnerability, tracked as CVE-2024-47072 with a CVSSv3 score of 7.5, affects all versions of XStream up to and including 1.4.20 when utilizing the BinaryStreamDriver. Exploitation of this vulnerability allows attackers to trigger a stack overflow error, leading to application crashes and service disruption.
CVE-2024-47072 arises from insecure handling of string value IDs during the deserialization process within the XStream BinaryStreamDriver. The driver employs a mechanism to map string values to IDs for optimization purposes. However, a flaw in the reader’s implementation permits malicious actors to craft input data that induces an endless recursion loop during the ID mapping process. This uncontrolled recursion results in a stack overflow, ultimately terminating the application.
Applications employing XStream versions 1.4.20 and earlier with the BinaryStreamDriver are susceptible to DoS attacks if they process untrusted or external input. Alexis Challande of Trail of Bits identified and responsibly disclosed the vulnerability.
Immediate upgrade to XStream version 1.4.21 is strongly recommended. This release contains a patch that addresses the vulnerability by correcting the flawed recursion handling within the BinaryStreamDriver.
While upgrading to the patched version is the optimal solution, a temporary workaround involves implementing error handling mechanisms to catch the StackOverflowError within the client code interacting with XStream. This approach can provide a temporary safeguard while facilitating a controlled shutdown or recovery process. However, it is crucial to recognize that this workaround does not address the underlying vulnerability and should not be considered a substitute for upgrading to the patched version.
Related Posts:
Source: https://securityonline.info/xstream-security-advisory-denial-of-service-vulnerability-cve-2024-47072