XStream through 1.4.9, when a certain denyTypes workaround is not used, mishandles attempts to create an instance of the primitive type 'void' during unmarshalling, leading to a remote application crash, as demonstrated by an xstream.fromXML("<void/>") call.

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available.

  - XStream through 1.4.9, when a certain denyTypes workaround is not used, mishandles attempts to create an     instance of the primitive type 'void' during unmarshalling, leading to a remote application crash, as     demonstrated by an xstream.fromXML(<void/>) call. (CVE-2017-7957)

Note that Nessus relies on the presence of the package as reported by the vendor.

There are packages installed that are affected by a vulnerability referenced in the following CVE:

  - XStream through 1.4.9, when a certain denyTypes workaround is not used, mishandles attempts to create an
    instance of the primitive type 'void' during unmarshalling, leading to a remote application crash, as
    demonstrated by an xstream.fromXML("<void/>") call. (CVE-2017-7957)

According to its self-reported version number, the version of JFrog Artifactory installed on the remote host is prior to 7.10.1. It is, therefore, affected by multiple vulnerabilities:

  - Xstream API versions up to 1.4.6 and version 1.4.10, if the security framework has not been initialized, may     allow a remote attacker to run arbitrary shell commands by manipulating the processed input stream when     unmarshaling XML or any supported format. e.g. JSON. (CVE-2013-7285)

  - Multiple XML external entity (XXE) vulnerabilities in the Dom4JDriver, DomDriver, JDomDriver, JDom2Driver, SjsxpDriver,     StandardStaxDriver, and WstxDriver drivers in XStream before 1.4.9 allow remote attackers to read arbitrary files     via a crafted XML document. (CVE-2016-3674)

  - XStream through 1.4.9, when a certain denyTypes workaround is not used, mishandles attempts to create an instance     of the primitive type 'void' during unmarshalling, leading to a remote application crash, as demonstrated by     an xstream.fromXML call. (CVE-2017-7957)

  - The file name encoding algorithm used internally in Apache Commons Compress 1.15 to 1.18 can get into an infinite     loop when faced with specially crafted inputs. This can lead to a denial of service attack if an attacker can choose     the file names inside of an archive created by Compress. (CVE-2019-12402)

  - The OpenID client application in Atlassian Crowd before version 3.6.2, and from version 3.7.0 before 3.7.1     allows remote attackers to perform a Denial of Service attack via an XML Entity Expansion vulnerability. (CVE-2019-20104)

  - Go before 1.13.13 and 1.14.x before 1.14.5 has a data race in some net/http servers, as demonstrated by the     httputil.ReverseProxy Handler, because it reads a request body and writes a response at the same time. (CVE-2020-15586)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

It was discovered that XStream, a Java library to serialise objects to XML and back again, was suspectible to denial of service during unmarshalling.

It was discovered that there was a remote application crash vulnerability in libxstream-java, a Java library to serialize objects to XML and back again. This was due to mishandled attempts to create an instance of the primitive type 'void' during unmarshalling.

For Debian 7 'Wheezy', this issue has been fixed in libxstream-java version 1.4.2-1+deb7u2.

We recommend that you upgrade your libxstream-java packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
221399	Linux Distros Unpatched Vulnerability : CVE-2017-7957	Nessus	Misc.	high
412096	SCA: security update for com.thoughtworks.xstream:xstream (GHSA-7hwc-46rm-65jh)	Tenable Cloud Security	SCA Checks	high
412096	SCA: security update for com.thoughtworks.xstream:xstream (GHSA-7hwc-46rm-65jh)	Tenable Self-Hosted Container Security	SCA Checks	high
144307	JFrog < 7.10.1 Multiple Vulnerabilities	Nessus	Misc.	critical
99970	Debian DSA-3841-1 : libxstream-java - security update	Nessus	Debian Local Security Checks	high
99919	Debian DLA-930-1 : libxstream-java security update	Nessus	Debian Local Security Checks	high

Detections

Analytics

CVE-2017-7957

high

Tenable Plugins

high

high

high

critical

high

high