CVE-2022-40152
Denial of Service vulnerability in woodstox-core (Maven)
What is CVE-2022-40152 About?
This Denial of Service (DoS) vulnerability affects FasterXML/woodstox when serializing XML data with DTD parsing enabled. An attacker can craft malicious XML input to cause a stack overflow, leading to application crashes. Exploiting this vulnerability is relatively straightforward for an attacker who can supply arbitrary XML data.
Affected Software
- com.fasterxml.woodstox:woodstox-core
- >6.0.0, <6.4.0
- <5.4.0
Technical Details
The vulnerability in FasterXML/woodstox occurs when processing user-supplied XML data, specifically when the DTD (Document Type Definition) parsing functionality is active. An attacker can supply a specially crafted XML document that contains deeply nested or recursively defined DTD entities. When the parser attempts to process this malformed DTD, it consumes excessive memory on the call stack due to recursive processing, eventually leading to a stack overflow. This stack overflow then causes the parsing process, and consequently the application utilizing the parser, to crash, resulting in a Denial of Service.
What is the Impact of CVE-2022-40152?
Successful exploitation may allow attackers to crash the application, disrupting service availability and leading to a denial of service for legitimate users.
What is the Exploitability of CVE-2022-40152?
Exploitation of this Denial of Service vulnerability is relatively simple and involves crafting a malicious XML payload. No specific authentication or high privileges are required, as long as the attacker can provide user-supplied input to the XML parser. The attack is typically remote if the application exposes an XML parsing endpoint to the network. The key prerequisite is that the DTD parsing functionality must be enabled. The risk factors for exploitation are heightened if the application processes untrusted XML input without proper validation or resource limits on DTD parsing.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-40152?
About the Fix from Resolved Security
The patch adds a configurable limit to the allowable recursion depth when parsing DTD content, raising an exception if the limit is exceeded. This defends against stack exhaustion or denial of service attacks caused by maliciously crafted recursive DTDs, thereby mitigating the issue described in CVE-2022-40152. By capping recursion, the patch prevents unbounded resource consumption that could crash or hang the parser.
Available Upgrade Options
- com.fasterxml.woodstox:woodstox-core
- <5.4.0 → Upgrade to 5.4.0
- com.fasterxml.woodstox:woodstox-core
- >6.0.0, <6.4.0 → Upgrade to 6.4.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/FasterXML/woodstox/issues/160
- https://github.com/FasterXML/woodstox/pull/159
- https://github.com/x-stream/xstream/issues/304
- https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47434
- https://nvd.nist.gov/vuln/detail/CVE-2022-40152
- https://osv.dev/vulnerability/GHSA-3f7h-mf4q-vrm4
- https://github.com/FasterXML/woodstox
- https://github.com/x-stream/xstream/issues/304
- https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47434
- https://github.com/FasterXML/woodstox/issues/157
What are Similar Vulnerabilities to CVE-2022-40152?
Similar Vulnerabilities: CVE-2018-1000876 , CVE-2017-7679 , CVE-2016-1000005 , CVE-2015-8167 , CVE-2014-3577
