Those using Xstream to seralize XML data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack.

This plugin has been deprecated as it does not adhere to established standards for this style of check.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2023:3299 advisory.

    Jenkins is a continuous integration server that monitors executions of repeated jobs, such as building a     software project or jobs run by cron.

    Security Fix(es):

    * apache-commons-text: variable interpolation RCE (CVE-2022-42889)

    * google-oauth-client: missing PKCE support in accordance with the RFC for OAuth 2.0 for Native Apps can     lead to improper authorization (CVE-2020-7692)

    * jenkins-2-plugins/script-security: Sandbox bypass vulnerability in Script Security Plugin     (CVE-2023-24422)

    * kubernetes-client: Insecure deserialization in unmarshalYaml method (CVE-2021-4178)

    * jackson-databind: Possible DoS if using JDK serialization to serialize JsonNode (CVE-2021-46877)

    * springframework: Authorization Bypass in RegexRequestMatcher (CVE-2022-22978)

    * xstream: Xstream to serialise XML data was vulnerable to Denial of Service attacks (CVE-2022-40151)

    * woodstox-core: woodstox to serialise XML data was vulnerable to Denial of Service attacks     (CVE-2022-40152)

    * Apache Commons FileUpload: FileUpload DoS with excessive parts (CVE-2023-24998)

    * jenkins-2-plugins/JUnit: Stored XSS vulnerability in JUnit Plugin (CVE-2023-25761)

    * jenkins-2-plugins/pipeline-build-step: Stored XSS vulnerability in Pipeline: Build Step Plugin     (CVE-2023-25762)

    * Jenkins: Denial of Service attack (CVE-2023-27900)

    * Jenkins: Denial of Service attack (CVE-2023-27901)

    * Jenkins: Workspace temporary directories accessible through directory browser (CVE-2023-27902)

    * Jenkins: Information disclosure through error stack traces related to agents (CVE-2023-27904)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of xstream installed on the remote host is prior to 1.3.1-16. It is, therefore, affected by a vulnerability as referenced in the ALAS2-2024-2464 advisory.

    Those using Xstream to seralize XML data may be vulnerable to Denial of Service attacks (DOS). If the     parser is running on user supplied input, an attacker may supply content that causes the parser to crash     by stackoverflow. This effect may support a denial of service attack. (CVE-2022-40151)

Tenable has extracted the preceding description block directly from the tested product security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of Oracle WebCenter Portal installed on the remote host is missing a security patch from the April 2023 Critical Patch Update (CPU). It is, therefore, affected by multiple vulnerabilities:

  - Vulnerability in the Oracle WebCenter Portal product of Oracle Fusion Middleware (component: Security Framework     (Netty)).  Supported versions that are affected are 12.2.1.4.0. Netty project is an event-driven     asynchronous network application framework. In versions prior to 4.1.86.Final, a stack overflow error can be     raised when parsing a malformed crafted message due to an infinite recursion. This issue is patched in     version 4.1.86.Final. There is no workaround, except using a custom HaProxyMessageDecoder. (CVE-2022-41881)

  - Vulnerability in the Oracle WebCenter Portal product of Oracle Fusion Middleware (component: Security Framework     (XStream)).  Supported versions that are affected are 12.2.1.4.0. Those using Xstream to seralize     XML data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input,     an attacker may supply content that causes the parser to crash by stack overflow. This effect may support a denial     of service attack. (CVE-2022-40151)

  - Vulnerability in the Oracle WebCenter Portal product of Oracle Fusion Middleware (component: Security Framework     (jackson-databind)). Supported versions that are affected are 12.2.1.4.0. In FasterXML jackson-databind before     2.14.0-rc1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid     deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. Additional fix version in     2.13.4.1 and 2.12.17.1 (CVE-2022-42003)

Note that Nessus has not attempted to exploit this issue but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLED15 / SLED_SAP15 / SLES15 / SLES_SAP15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2023:1673-1 advisory.

  - Those using Xstream to seralize XML data may be vulnerable to Denial of Service attacks (DOS). If the     parser is running on user supplied input, an attacker may supply content that causes the parser to crash     by stackoverflow. This effect may support a denial of service attack. (CVE-2022-40151)

  - XStream serializes Java objects to XML and back again. Versions prior to 1.4.20 may allow a remote     attacker to terminate the application with a stack overflow error, resulting in a denial of service only     via manipulation the processed input stream. The attack uses the hash code implementation for collections     and maps to force recursive hash calculation causing a stack overflow. This issue is patched in version     1.4.20 which handles the stack overflow and raises an InputManipulationException instead. A potential     workaround for users who only use HashMap or HashSet and whose XML refers these only as default map or     set, is to change the default implementation of java.util.Map and java.util per the code example in the     referenced advisory. However, this implies that your application does not care about the implementation of     the map and all elements are comparable. (CVE-2022-41966)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the 9d9e9439-959e-11ed-b464-b42e991fc52e advisory.

  - Those using Xstream to seralize XML data may be vulnerable to Denial of Service attacks (DOS). If the     parser is running on user supplied input, an attacker may supply content that causes the parser to crash     by stackoverflow. This effect may support a denial of service attack. (CVE-2022-40151)

  - XStream serializes Java objects to XML and back again. Versions prior to 1.4.20 may allow a remote     attacker to terminate the application with a stack overflow error, resulting in a denial of service only     via manipulation the processed input stream. The attack uses the hash code implementation for collections     and maps to force recursive hash calculation causing a stack overflow. This issue is patched in version     1.4.20 which handles the stack overflow and raises an InputManipulationException instead. A potential     workaround for users who only use HashMap or HashSet and whose XML refers these only as default map or     set, is to change the default implementation of java.util.Map and java.util per the code example in the     referenced advisory. However, this implies that your application does not care about the implementation of     the map and all elements are comparable. (CVE-2022-41966)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
196408	RHEL 7 : xstream (Unpatched Vulnerability) (deprecated)	Nessus	Red Hat Local Security Checks	critical
194250	RHEL 8 : jenkins and jenkins-2-plugins (RHSA-2023:3299)	Nessus	Red Hat Local Security Checks	critical
190694	Amazon Linux 2 : xstream (ALAS-2024-2464)	Nessus	Amazon Linux Local Security Checks	high
174540	Oracle WebCenter Portal Multiple Vulnerabilities (April 2023 CPU)	Nessus	Misc.	medium
173696	SUSE SLED15 / SLES15 / openSUSE 15 Security Update : xstream (SUSE-SU-2023:1673-1)	Nessus	SuSE Local Security Checks	high
170077	FreeBSD : security/keycloak -- Multiple possible DoS attacks (9d9e9439-959e-11ed-b464-b42e991fc52e)	Nessus	FreeBSD Local Security Checks	high

Detections

Analytics

CVE-2022-40151

high

Tenable Plugins

critical

critical

high

medium

high

high