Nikhil created AMQ-9195:
---------------------------
Summary: XStream - CVE-2022-41966
Key: AMQ-9195
URL: https://issues.apache.org/jira/browse/AMQ-9195
Project: ActiveMQ
Issue Type: Dependency upgrade
Affects Versions: 5.16.5
Reporter: Nikhil
{*}Summary{*}: XStream serializes Java objects to XML and back again. Versions
prior to 1.4.20 may allow a remote attacker to terminate the application with a
stack overflow error, resulting in a denial of service only via manipulation
the processed input stream. The attack uses the hash code implementation for
collections and maps to force recursive hash calculation causing a stack
overflow. This issue is patched in version 1.4.20 which handles the stack
overflow and raises an InputManipulationException instead. A potential
workaround for users who only use HashMap or HashSet and whose XML refers these
only as default map or set, is to change the default implementation of
java.util.Map and java.util per the code example in the referenced advisory.
However, this implies that your application does not care about the
implementation of the map and all elements are comparable.
{*}Solution{*}: Fixed in version *1.4.20* by this commit.
Since ActiveMQ web console uses this library (XStream) - I think we will need
to update this to 1.4.20, currently we are using *1.4.19* in *5.16.5*
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
