1. Summary
| Vulnerability Name | XStream Denial of Service Vulnerability (CVE-2022-41966) |
|---|---|
| Release Date | December 29, 2022 |
| Component Name | XStream |
| Affected Versions | XStream < 1.4.20 |
| Vulnerability Type | Denial of Service Vulnerability |
| Severity | CVSS v3 Base Score: 7.5 (High) |
| Exploitability | Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None |
| Impact | Confidentiality Impact: None Integrity Impact: None Availability Impact: High |
2. About CVE-2022-41966
2.1 Introduction
XStream is a Java library used to serialize objects to XML or JSON, or deserialize them into objects. XStream is free software, distributed under a BSD license.
2.2 Summary
On Dec 29, 2022, Sangfor FarSight Labs received a notice about a denial of service vulnerability in XStream (CVE-2022-41966), classified as High severity with a CVSS score of 7.5 (NVD).
This vulnerability is caused by XStream not effectively validating the input data when deserializing it. An attacker can inject a malicious object by manipulating the serialized input data to trigger a stack overflow that terminates the application when XStream calculates hashcode recursively, resulting in a denial of service. This issue is patched in version 1.4.20 which handles the stack overflow and raises an InputManipulationException instead.
3. Affected Versions
XStream < 1.4.20
4. Solutions
4.1 Remediation Solutions
4.1.1 Official Solution
XStream has released a patch for affected versions to fix this vulnerability. Please download the patch corresponding to the affected version from the following link: https://x-stream.github.io/download.html
4.2 Sangfor Solutions
4.2.1 Security Monitoring
The following Sangfor products and services perform real-time monitoring of assets affected by the XStream denial of service vulnerability (CVE-2022-41966):
- Sangfor Cyber Command
- Sangfor Cyber Guardian Detection and Response Service
4.2.2 Security Protection
The following Sangfor products and services provide protection against the XStream denial of service vulnerability (CVE-2022-41966):
- Sangfor Next Generation Application Firewall (NGAF)
- Sangfor Cyber Guardian Detection and Response Service
5. Timeline
On Dec 29, 2022, Sangfor FarSight Labs received a notice about the XStream denial of service vulnerability (CVE-2022-41966).
On Dec 29, 2022, Sangfor FarSight Labs released a vulnerability alert with remediation solutions.
6. Reference
https://x-stream.github.io/CVE-2022-41966.html
https://nvd.nist.gov/vuln/detail/CVE-2022-41966
7. Learn More
Sangfor FarSight Labs researches the latest cyberthreats and unknown zero-day vulnerabilities, alerting customers to potential dangers to their organizations, and providing real-time solutions with actionable intelligence. Sangfor FarSight Labs works with other security vendors and the security community at large to identify and verify global cyberthreats, providing fast and easy protection for customers.
