Amazon Linux 2 Security Advisory: ALAS-2024-2707
Advisory Release Date: 2024-12-05 01:02 Pacific
Advisory Updated Date: 2024-12-19 16:00 Pacific
XStream is vulnerable to a Denial of Service attack due to stack overflow from a manipulated binary input stream. XStream provides a BinaryStreamDriver with an own optimized serialization format. The format uses ids for string values as deduplication. The mapping for these ids are created on-the-fly at marshalling time. At unmarshalling time the reader's implementation simply used a simple one-time recursion after reading a mapping token to process the next normal token of the data stream. However, an endless recursion could be triggered with manipulated input data resulting in a stack overflow causing a denial of service. (CVE-2024-47072)
Affected Packages:
xstream
Note:
This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.
Issue Correction:
Run yum update xstream to update your system.
noarch:
xstream-1.3.1-16.amzn2.0.4.noarch
xstream-javadoc-1.3.1-16.amzn2.0.4.noarch
src:
xstream-1.3.1-16.amzn2.0.4.src