175 lines
7.1 KiB
Diff
175 lines
7.1 KiB
Diff
From bb838ce2269cac47433e31c77b2b236466e9f266 Mon Sep 17 00:00:00 2001
|
|
From: joehni <joerg.schaible@gmx.de>
|
|
Date: Fri, 18 Oct 2024 11:33:48 +0200
|
|
Subject: [PATCH] Document CVE-2024-47072 and add test case.
|
|
|
|
Origin:
|
|
https://github.com/x-stream/xstream/commit/bb838ce2269cac47433e31c77b2b236466e9f266
|
|
---
|
|
.../src/content/CVE-2024-47072.html | 68 +++++++++++++++++++
|
|
.../src/content/security.html | 11 ++-
|
|
xstream-distribution/src/content/website.xml | 3 +-
|
|
.../acceptance/SecurityVulnerabilityTest.java | 19 ++++++
|
|
4 files changed, 99 insertions(+), 2 deletions(-)
|
|
create mode 100644 xstream-distribution/src/content/CVE-2024-47072.html
|
|
|
|
diff --git a/xstream-distribution/src/content/CVE-2024-47072.html b/xstream-distribution/src/content/CVE-2024-47072.html
|
|
new file mode 100644
|
|
index 000000000..9e021709b
|
|
--- /dev/null
|
|
+++ b/xstream-distribution/src/content/CVE-2024-47072.html
|
|
@@ -0,0 +1,68 @@
|
|
+<html>
|
|
+<!--
|
|
+ Copyright (C) 2024 XStream committers.
|
|
+ All rights reserved.
|
|
+
|
|
+ The software in this package is published under the terms of the BSD
|
|
+ style license a copy of which has been included with this distribution in
|
|
+ the LICENSE.txt file.
|
|
+
|
|
+ Created on 19. September 2024 by Joerg Schaible
|
|
+ -->
|
|
+ <head>
|
|
+ <title>CVE-2024-47072</title>
|
|
+ </head>
|
|
+ <body>
|
|
+
|
|
+ <h2 id="vulnerability">Vulnerability</h2>
|
|
+
|
|
+ <p>CVE-2024-47072: XStream is vulnerable to a Denial of Service attack due to stack overflow from a manipulated
|
|
+ binary input stream.</p>
|
|
+
|
|
+ <h2 id="affected_versions">Affected Versions</h2>
|
|
+
|
|
+ <p>All versions until and including version 1.4.20 are affected, if using XStream's BinaryStreamDriver.</p>
|
|
+
|
|
+ <h2 id="description">Description</h2>
|
|
+
|
|
+ <p>XStream provides a BinaryStreamDriver with an own optimized serialization format. The format uses ids for
|
|
+ string values as deduplication. The mapping for these ids are created on-the-fly at marshalling time. At
|
|
+ unmarshalling time the reader's implementation simply used a simple one-time recursion after reading a mapping
|
|
+ token to process the next normal token of the data stream. However, an endless recursion could be triggered with
|
|
+ manipulated input data resulting in a stack overflow causing a denial of service.</p>
|
|
+
|
|
+ <h2 id="reproduction">Steps to Reproduce</h2>
|
|
+
|
|
+ <p>Prepare the manipulated data and provide it as input for a XStream instance using the BinaryDriver:</p>
|
|
+<div class="Source Java"><pre>final byte[] byteArray = new byte[36000];
|
|
+for (int i = 0; i < byteArray.length / 4; i++) {
|
|
+ byteArray[i * 4] = 10;
|
|
+ byteArray[i * 4 + 1] = -127;
|
|
+ byteArray[i * 4 + 2] = 0;
|
|
+ byteArray[i * 4 + 3] = 0;
|
|
+}
|
|
+
|
|
+XStream xstream = new XStream(new BinaryStreamDriver());
|
|
+xstream.fromXML(new ByteArrayInputStream(byteArray));
|
|
+</pre></div>
|
|
+
|
|
+ <p>As soon as the data gets unmarshalled, the endless recursion is entered and the executing thread is aborted with
|
|
+ a stack overflow error.</p>
|
|
+
|
|
+ <h2 id="impact">Impact</h2>
|
|
+
|
|
+ <p>The vulnerability may allow a remote attacker to terminate the application with a stack overflow error resulting
|
|
+ in a denial of service only by manipulating the processed input stream if the instance is setup with a
|
|
+ BinaryStreamDriver.</p>
|
|
+
|
|
+ <h2 id="workarounds">Workarounds</h2>
|
|
+
|
|
+ <p>A simple solution is to catch the StackOverflowError in the client code calling XStream. There's no other known
|
|
+ workaround when using the BinaryStreamDriver.</p>
|
|
+
|
|
+ <h2 id="credits">Credits</h2>
|
|
+
|
|
+ <p>Alexis Challande of Trail Of Bits found and reported the issue to XStream and provided the required information to reproduce it.</p>
|
|
+
|
|
+ </body>
|
|
+ </html>
|
|
diff --git a/xstream-distribution/src/content/security.html b/xstream-distribution/src/content/security.html
|
|
index f121ec273..1a68de0a8 100644
|
|
--- a/xstream-distribution/src/content/security.html
|
|
+++ b/xstream-distribution/src/content/security.html
|
|
@@ -1,6 +1,6 @@
|
|
<html>
|
|
<!--
|
|
- Copyright (C) 2014, 2015, 2017, 2019, 2020, 2021, 2022 XStream committers.
|
|
+ Copyright (C) 2014, 2015, 2017, 2019, 2020, 2021, 2022, 2024 XStream committers.
|
|
All rights reserved.
|
|
|
|
The software in this package is published under the terms of the BSD
|
|
@@ -49,6 +49,15 @@ <h2 id="CVEs">Documented Vulnerabilities</h2>
|
|
<th>CVE</th>
|
|
<th>Description</th>
|
|
</tr>
|
|
+ <tr>
|
|
+ <th>Version 1.4.21</th>
|
|
+ <td></td>
|
|
+ </tr>
|
|
+ <tr>
|
|
+ <th><a href="/x-stream/xstream/commit/CVE-2024-47072.html">CVE-2024-47072</a></th>
|
|
+ <td>XStream is vulnerable to a Denial of Service attack due to stack overflow from a manipulated binary input
|
|
+ stream.</td>
|
|
+ </tr>
|
|
<tr>
|
|
<th>Version 1.4.19</th>
|
|
<td></td>
|
|
diff --git a/xstream-distribution/src/content/website.xml b/xstream-distribution/src/content/website.xml
|
|
index d89179184..c6b253fb3 100644
|
|
--- a/xstream-distribution/src/content/website.xml
|
|
+++ b/xstream-distribution/src/content/website.xml
|
|
@@ -1,6 +1,6 @@
|
|
<!--
|
|
Copyright (C) 2005, 2006 Joe Walnes.
|
|
- Copyright (C) 2006, 2007, 2010, 2011, 2014, 2015, 2016, 2017, 2020, 2021, 2022 XStream committers.
|
|
+ Copyright (C) 2006, 2007, 2010, 2011, 2014, 2015, 2016, 2017, 2020, 2021, 2022, 2024 XStream committers.
|
|
All rights reserved.
|
|
|
|
The software in this package is published under the terms of the BSD
|
|
@@ -63,6 +63,7 @@
|
|
</section>
|
|
<section>
|
|
<name>!Vulnerabilities</name>
|
|
+ <page>CVE-2024-47072.html</page>
|
|
<page>CVE-2022-41966.html</page>
|
|
<page>CVE-2022-40151.html</page>
|
|
<page>CVE-2021-21341.html</page>
|
|
diff --git a/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java b/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
|
|
index 7bf2d38ed..49281fd06 100644
|
|
--- a/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
|
|
+++ b/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
|
|
@@ -26,8 +26,10 @@
|
|
import java.util.Map;
|
|
import java.util.Set;
|
|
|
|
+import com.thoughtworks.xstream.XStream;
|
|
import com.thoughtworks.xstream.converters.ConversionException;
|
|
import com.thoughtworks.xstream.core.JVM;
|
|
+import com.thoughtworks.xstream.io.binary.BinaryStreamDriver;
|
|
import com.thoughtworks.xstream.security.AnyTypePermission;
|
|
import com.thoughtworks.xstream.security.ForbiddenClassException;
|
|
import com.thoughtworks.xstream.security.InputManipulationException;
|
|
@@ -545,4 +547,21 @@ public void testStackOverflowWithDeeplyNestedStructure() {
|
|
assertTrue(e.getMessage().indexOf("Stack Overflow") >= 0);
|
|
}
|
|
}
|
|
+
|
|
+ public void testStackOverflowInBinaryStreamReaderWithManipulatedInputData() {
|
|
+ final byte[] byteArray = new byte[36000];
|
|
+ for (int i = 0; i < byteArray.length / 4; i++) {
|
|
+ byteArray[i * 4] = 10;
|
|
+ byteArray[i * 4 + 1] = -127;
|
|
+ byteArray[i * 4 + 2] = 0;
|
|
+ byteArray[i * 4 + 3] = 0;
|
|
+ }
|
|
+
|
|
+ try {
|
|
+ xstream = new XStream(new BinaryStreamDriver());
|
|
+ xstream.fromXML(new ByteArrayInputStream(byteArray));
|
|
+ } catch (final InputManipulationException e) {
|
|
+ assertTrue(e.getMessage().indexOf("two mapping tokens") >= 0);
|
|
+ }
|
|
+ }
|
|
}
|