CVE-2017-7957: Input Validation
First published: Wed Apr 12 2017(Updated: )
A vulnerability was found in XStream. Parsing a maliciously crafted file could cause the application to crash. The processed stream at unmarshalling type contains type information to recreate the formerly written objects. XStream creates therefore new instances based on these type information. The crash occurrs if this information advices XStream to create an instance of the primitive type 'void'. This situation can only happen if an attacker was able to manipulate the incoming data, since such an instance does not exist. References: <a href="http://seclists.org/oss-sec/2017/q2/9">http://seclists.org/oss-sec/2017/q2/9</a>
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Xstream Project Xstream | <=1.4.9 | |
| Debian Debian Linux | =8.0 | |
| Debian Debian Linux | =9.0 | |
| IBM GDE | <=3.0.0.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://exchange.xforce.ibmcloud.com/vulnerabilities/125800
- https://www.ibm.com/support/pages/node/6403331 (Advisory)
- http://www.debian.org/security/2017/dsa-3841
- http://www.securityfocus.com/bid/100687
- http://www.securitytracker.com/id/1039499
- http://x-stream.github.io/CVE-2017-7957.html
- https://access.redhat.com/errata/RHSA-2017:1832
- https://access.redhat.com/errata/RHSA-2017:2888
- https://access.redhat.com/errata/RHSA-2017:2889
- https://www-prd-trops.events.ibm.com/node/715749
- http://seclists.org/oss-sec/2017/q2/9
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1441541
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1441542
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1481373
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1598330
- https://bugzilla.redhat.com/show_bug.cgi?id=1441538
Frequently Asked Questions
What is CVE-2017-7957?
CVE-2017-7957 is a vulnerability in XStream through 1.4.9 that allows for a denial of service attack.
How does CVE-2017-7957 manifest?
CVE-2017-7957 manifests as a remote application crash when XStream mishandles attempts to create an instance of the primitive type 'void' during unmarshalling.
Which software products are affected by CVE-2017-7957?
CVE-2017-7957 affects IBM GDE version 3.0.0.2, Xstream Project Xstream up to version 1.4.9, and Debian Debian Linux versions 8.0 and 9.0.
What is the severity of CVE-2017-7957?
The severity of CVE-2017-7957 is high with a CVSS score of 7.5.
How can CVE-2017-7957 be mitigated?
To mitigate CVE-2017-7957, apply the denyTypes workaround in XStream 1.4.9 or upgrade to a version that includes the fix.
- collector/nvd-index
- agent/type
- agent/softwarecombine
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2017-7957
- agent/first-publish-date
- agent/last-modified-date
- agent/references
- collector/ibm-support
- source/IBM
- agent/software-canonical-lookup
- agent/author
- agent/weakness
- agent/severity
- agent/tags
- agent/description
- agent/event
- collector/mitre-cve
- source/MITRE
- vendor/xstream project
- canonical/xstream project xstream
- version/xstream project xstream/1.4.9
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/8.0
- version/debian debian linux/9.0
- vendor/ibm
- canonical/ibm gde
- version/ibm gde/3.0.0.2