CVE-2022-41966
Denial of Service (DoS) vulnerability in xstream (Maven)
What is CVE-2022-41966 About?
This vulnerability allows a remote attacker to cause a Denial of Service (DoS) by triggering a stack overflow error within XStream due to recursive hash calculations in collections. It can terminate the application, leading to service disruption, and is relatively easy to exploit with a manipulated input stream. The impact is high due to the complete unavailability of the service.
Affected Software
Technical Details
The vulnerability enables a remote attacker to trigger a Denial of Service (DoS) by sending a specially crafted input stream to XStream. This input leverages recursive hash code calculations within common Java collection types such as HashMap, HashSet, Hashtable, LinkedHashMap, and LinkedHashSet. By providing a deeply nested or highly recursive structure within the input, the attacker forces XStream to perform an excessive number of hash code computations during deserialization. This recursive processing exhausts the stack memory, leading to a StackOverflowError and consequently terminating the application. The attack vector is the processed input stream, which does not require authentication.
What is the Impact of CVE-2022-41966?
Successful exploitation may allow attackers to terminate the application, leading to a denial of service and disrupting the availability of the affected system.
What is the Exploitability of CVE-2022-41966?
Exploitation involves a remote attacker manipulating the processed input stream to induce a stack overflow. No authentication or special privileges are required. The attack is remote. The complexity is low to moderate, as it relies on crafting an input that exploits the recursive hash calculation in certain collection types. The likelihood of exploitation is reduced if the application catches StackOverflowError or if XStream's security framework explicitly denies the use of affected collection types. Configuring XStream to use NO_REFERENCE mode or using TreeMap/TreeSet as default implementations for Map/Set can also mitigate the risk, though they have specific constraints on the object graph.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| 111ddea | Link | PoC for CVE-2022-41966 |
What are the Available Fixes for CVE-2022-41966?
Available Upgrade Options
- com.thoughtworks.xstream:xstream
- <1.4.20 → Upgrade to 1.4.20
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://osv.dev/vulnerability/GHSA-j563-grx4-pjpv
- https://x-stream.github.io/CVE-2022-41966.html
- https://github.com/x-stream/xstream/security/advisories/GHSA-j563-grx4-pjpv
- https://security.netapp.com/advisory/ntap-20230216-0005/
- https://github.com/x-stream/xstream
- https://x-stream.github.io/CVE-2022-41966.html
- https://nvd.nist.gov/vuln/detail/CVE-2022-41966
- https://github.com/x-stream/xstream/security/advisories/GHSA-j563-grx4-pjpv
What are Similar Vulnerabilities to CVE-2022-41966?
Similar Vulnerabilities: CVE-2021-21346 , CVE-2021-39146 , CVE-2013-7285 , CVE-2017-7957 , CVE-2022-41881
