XStream is a simple library to serialize objects to XML and back again. This vulnerability may allow a remote attacker to terminate the application with a stack overflow error resulting in a denial of service only by manipulating the processed input stream when XStream is configured to use the BinaryStreamDriver. XStream 1.4.21 has been patched to detect the manipulation in the binary input stream causing the the stack overflow and raises an InputManipulationException instead. Users are advised to upgrade. Users unable to upgrade may catch the StackOverflowError in the client code calling XStream if XStream is configured to use the BinaryStreamDriver.

The version of xstream installed on the remote host is prior to 1.3.1-16. It is, therefore, affected by a vulnerability as referenced in the ALAS2-2024-2707 advisory.

    XStream is vulnerable to a Denial of Service attack due to stack overflow from a manipulated binary input     stream. XStream provides a BinaryStreamDriver with an own optimized serialization format. The format uses     ids for string values as deduplication. The mapping for these ids are created on-the-fly at marshalling     time. At unmarshalling time the reader's implementation simply used a simple one-time recursion after     reading a mapping token to process the next normal token of the data stream. However, an endless recursion     could be triggered with manipulated input data resulting in a stack overflow causing a denial of service.
    (CVE-2024-47072)

Tenable has extracted the preceding description block directly from the tested product security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Debian 11 host has a package installed that is affected by multiple vulnerabilities as referenced in the dla-4001 advisory.

    - -------------------------------------------------------------------------     Debian LTS Advisory DLA-4001-1                debian-lts@lists.debian.org     https://www.debian.org/lts/security/                   Bastien Roucaris     December 21, 2024                             https://wiki.debian.org/LTS
    - -------------------------------------------------------------------------

    Package        : libxstream-java     Version        : 1.4.15-3+deb11u3     CVE ID         : CVE-2021-43859 CVE-2024-47072     Debian Bug     : 1087274

    XStream is a simple java library to serialize objects to XML     and back again. Two vulnerabilities were fixed:

    CVE-2021-43859:

      XStream can cause a Denial of Service (DoS) by injecting highly       recursive collections or maps

    CVE-2024-47072

      XStream was vulnerable to a Denial of Service attack due       to stack overflow from a manipulated binary input stream

    For Debian 11 bullseye, this problem has been fixed in version     1.4.15-3+deb11u3.

    We recommend that you upgrade your libxstream-java packages.

    For the detailed security status of libxstream-java please refer to     its security tracker page at:
    https://security-tracker.debian.org/tracker/libxstream-java

    Further information about Debian LTS security advisories, how to apply     these updates to your system and frequently asked questions can be     found at: https://wiki.debian.org/LTS

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLED15 / SLED_SAP15 / SLES15 / SLES_SAP15 / openSUSE 15 host has packages installed that are affected by a vulnerability as referenced in the SUSE-SU-2024:4037-1 advisory.

    - CVE-2024-47072: Fixed possible remote denial-of-service via a stack overflow (bsc#1233085).

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
213372	Amazon Linux 2 : xstream (ALAS-2024-2707)	Nessus	Amazon Linux Local Security Checks	high
213317	Debian dla-4001 : libxstream-java - security update	Nessus	Debian Local Security Checks	high
212539	SUSE SLED15 / SLES15 / openSUSE 15 Security Update : bea-stax, xstream (SUSE-SU-2024:4037-1)	Nessus	SuSE Local Security Checks	high

Detections

Analytics

CVE-2024-47072

high

Tenable Plugins

high

high

high