XStream Security Advisory: Denial-of-Service Vulnerability (CVE-2024-47072)
A high-severity denial-of-service (DoS) vulnerability has been identified in XStream, a popular Java library used for object serialization. This vulnerability, tracked as CVE-2024-47072 with a CVSSv3 score of 7.5, affects all versions of XStream up to and including 1.4.20 when utilizing the BinaryStreamDriver. Exploitation of this vulnerability allows attackers to trigger a stack overflow error, leading to application crashes and service disruption.
CVE-2024-47072 arises from insecure handling of string value IDs during the deserialization process within the XStream BinaryStreamDriver. The driver employs a mechanism to map string values to IDs for optimization purposes. However, a flaw in the reader’s implementation permits malicious actors to craft input data that induces an endless recursion loop during the ID mapping process. This uncontrolled recursion results in a stack overflow, ultimately terminating the application.
Applications employing XStream versions 1.4.20 and earlier with the BinaryStreamDriver are susceptible to DoS attacks if they process untrusted or external input. Alexis Challande of Trail of Bits identified and responsibly disclosed the vulnerability.
Immediate upgrade to XStream version 1.4.21 is strongly recommended. This release contains a patch that addresses the vulnerability by correcting the flawed recursion handling within the BinaryStreamDriver.
While upgrading to the patched version is the optimal solution, a temporary workaround involves implementing error handling mechanisms to catch the StackOverflowError within the client code interacting with XStream. This approach can provide a temporary safeguard while facilitating a controlled shutdown or recovery process. However, it is crucial to recognize that this workaround does not address the underlying vulnerability and should not be considered a substitute for upgrading to the patched version.