CVE-2017-7957
XStream: DoS when unmarshalling void type
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
XStream through 1.4.9, when a certain denyTypes workaround is not used, mishandles attempts to create an instance of the primitive type 'void' during unmarshalling, leading to a remote application crash, as demonstrated by an xstream.fromXML("<void/>") call.
XStream a través de 1.4.9, cuando no se utiliza una solución de denyTypes, mishandles intenta crear una instancia del tipo primitivo 'void' durante unmarshalling, dando lugar a un fallo de aplicación remota, como lo demuestra una llamda a xstream.fromXML (" > ").
It was found that XStream contains a vulnerability that allows a maliciously crafted file to be parsed successfully which could cause an application crash. The crash occurs if the file that is being fed into XStream input stream contains an instances of the primitive type 'void'. An attacker could use this flaw to create a denial of service on the target system.
Red Hat JBoss BRMS is a business rules management system for the management, storage, creation, modification, and deployment of JBoss Rules. This release of Red Hat JBoss BRMS 6.4.6 serves as a replacement for Red Hat JBoss BRMS 6.4.5, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Security Fix: It was found that when using remote logging with log4j socket server the log4j server would deserialize any log event received via TCP or UDP. An attacker could use this flaw to send a specially crafted log event that, during deserialization, would execute arbitrary code in the context of the logger application.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2017-04-19 CVE Reserved
- 2017-04-29 CVE Published
- 2024-08-05 CVE Updated
- 2025-03-30 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-20: Improper Input Validation
CAPEC
References (10)
| URL | Tag | Source |
|---|---|---|
| http://www.securityfocus.com/bid/100687 | Third Party Advisory | |
| http://www.securitytracker.com/id/1039499 | Third Party Advisory | |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/125800 | Third Party Advisory |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| http://www.debian.org/security/2017/dsa-3841 | 2019-03-26 | |
| http://x-stream.github.io/CVE-2017-7957.html | 2019-03-26 | |
| https://access.redhat.com/errata/RHSA-2017:1832 | 2019-03-26 | |
| https://access.redhat.com/errata/RHSA-2017:2888 | 2019-03-26 | |
| https://access.redhat.com/errata/RHSA-2017:2889 | 2019-03-26 | |
| https://access.redhat.com/security/cve/CVE-2017-7957 | 2017-10-12 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=1441538 | 2017-10-12 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Xstream Project Search vendor "Xstream Project" | Xstream Search vendor "Xstream Project" for product "Xstream" | <= 1.4.9 Search vendor "Xstream Project" for product "Xstream" and version " <= 1.4.9" | - |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 8.0 Search vendor "Debian" for product "Debian Linux" and version "8.0" | - |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 9.0 Search vendor "Debian" for product "Debian Linux" and version "9.0" | - |
Affected
| ||||||