[
https://issues.apache.org/jira/browse/AMQ-9195?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jean-Baptiste Onofré reassigned AMQ-9195:
-----------------------------------------
Assignee: Jean-Baptiste Onofré
> Upgrade XStream to 1.4.20 - CVE-2022-41966
> ------------------------------------------
>
> Key: AMQ-9195
> URL: https://issues.apache.org/jira/browse/AMQ-9195
> Project: ActiveMQ
> Issue Type: Dependency upgrade
> Affects Versions: 5.16.5
> Reporter: Nikhil
> Assignee: Jean-Baptiste Onofré
> Priority: Major
> Fix For: 5.18.0, 5.16.6, 5.17.4
>
>
> {*}Summary{*}: XStream serializes Java objects to XML and back again.
> Versions prior to 1.4.20 may allow a remote attacker to terminate the
> application with a stack overflow error, resulting in a denial of service
> only via manipulation the processed input stream. The attack uses the hash
> code implementation for collections and maps to force recursive hash
> calculation causing a stack overflow. This issue is patched in version 1.4.20
> which handles the stack overflow and raises an InputManipulationException
> instead. A potential workaround for users who only use HashMap or HashSet and
> whose XML refers these only as default map or set, is to change the default
> implementation of java.util.Map and java.util per the code example in the
> referenced advisory. However, this implies that your application does not
> care about the implementation of the map and all elements are comparable.
>
> {*}Solution{*}: Fixed in version *1.4.20* by this commit.
>
> Since ActiveMQ web console uses this library (XStream) - I think we will need
> to update this to 1.4.20, currently we are using *1.4.19* in *5.16.5*
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
