Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 13 Apr 2017 08:32:38 +0200
From: Andrej Nemec <anemec@...hat.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE Request - XStream: DoS when unmarshalling void

Hello Jörg,

Unfortunately, CVE assignments are not done through this list anymore.
You need to visit [1] and request a CVE by filing out the form. Could
you please look at it and let the list know about the assigned CVE?

Thanks!

Best Regards,

[1] https://cveform.mitre.org/

-- 
Andrej Nemec, Red Hat Product Security
3701 3214 E472 A9C3 EFBE 8A63 8904 44A1 D57B 6DDA

On 04/03/2017 01:55 PM, Jörg Schaible wrote:
> Hello,
>
> XStream is a Java library basically to marshal Java objects into XML and 
> back.
>
> Huawei engineers reported a reproducible crash of the Java VM (DoS) feeding 
> XStream with a specially crafted XML (note, that Stream also supports JSON, 
> that one can be used equally).
>
> Issue Description
> =================
>
> The processed stream at unmarshalling type contains type information to 
> recreate the formerly written objects. XStream creates therefore new 
> instances based on these type information. The crash occurrs if this 
> information advices XStream to create an instance of the primitive type 
> 'void'. This situation can only happen if an attacker was able to manipulate 
> the incoming data, since such an instance does not exist.
>
> Steps to Reproduce:
> ===================
>
> The simplest way to demonstrate the problem is with this snippet:
>
> XStream xstream = new XStream();
> xstream.fromXML("<void/>");
>
> If XStream is configured to read JSON, the equivalent line is:
>
> xstream.fromXML("{'void':null}");
>
> However, the problematic type information can be injected at any position in 
> the provided stream, in XML just by adding a class attribute:
>
> xstream.fromXML("<string class='void'>Hello, world!</string>");
>
> Impact:
> =======
> The vulnerability may allow a remote attacker to cause a crash on the target 
> system resulting in a denial of service only by manipulating the processed 
> input stream.
>
> Affected Versions:
> ==================
> Currently all versions until and including version 1.4.9 are affected, but 
> workarounds exist.
>
> Workarounds:
> ============
> XStream contains since version 1.4.7 a security framework to prevent an 
> attack described in CVE-2013-7285. This framework can also be used to 
> suppress the current vulnerability by setting:
>
> xstream.denyTypes(void.class, Void.class);
>
> Users of older XStream releases can register an own converter for the 'void' 
> type, that also protects against this attack:
>
> xstream.registerConverter(new Converter() {
>   public boolean canConvert(Class type) {
>     return Void.class == type || void.class == type;
>   }
>   public Object unmarshal(HierarchicalStreamReader reader, 
> UnmarshallingContext context) {
>     throw new ConversionException("Type void cannot have an instance");
>   }
>   public void marshal(Object source, HierarchicalStreamWriter writer, 
> MarshallingContext context) {
>     throw new ConversionException("Type void cannot have an instance");
>   }
> }, XStream.PRIORITY_VERY_HIGH);
>
> Regards,
> Jörg Schaible
>
> Maintainer of XStream.
>



Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ