Those using Xstream to seralize XML data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack.

The remote Redhat Enterprise Linux 7 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched.

  - XStream: allow a remote attacker to load and execute arbitrary code from a remote host only by     manipulating the processed input stream (CVE-2021-21351)

  - XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.15, a     Server-Side Forgery Request vulnerability can be activated when unmarshalling. The vulnerability may allow     a remote attacker to request data from internal resources that are not publicly available only by     manipulating the processed input stream. If you rely on XStream's default blacklist of the Security     Framework, you will have to use at least version 1.4.15. The reported vulnerability does not exist if     running Java 15 or higher. No user is affected who followed the recommendation to setup XStream's Security     Framework with a whitelist! Anyone relying on XStream's default blacklist can immediately switch to a     whilelist for the allowed types to avoid the vulnerability. Users of XStream 1.4.14 or below who still     want to use XStream default blacklist can use a workaround described in more detailed in the referenced     advisories. (CVE-2020-26258)

  - XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.15, is     vulnerable to an Arbitrary File Deletion on the local host when unmarshalling. The vulnerability may allow     a remote attacker to delete arbitrary know files on the host as log as the executing process has     sufficient rights only by manipulating the processed input stream. If you rely on XStream's default     blacklist of the Security Framework, you will have to use at least version 1.4.15. The reported     vulnerability does not exist running Java 15 or higher. No user is affected, who followed the     recommendation to setup XStream's Security Framework with a whitelist! Anyone relying on XStream's default     blacklist can immediately switch to a whilelist for the allowed types to avoid the vulnerability. Users of     XStream 1.4.14 or below who still want to use XStream default blacklist can use a workaround described in     more detailed in the referenced advisories. (CVE-2020-26259)

  - XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16,     there is vulnerability which may allow a remote attacker to allocate 100% CPU time on the target system     depending on CPU type or parallel execution of such a payload resulting in a denial of service only by     manipulating the processed input stream. No user is affected who followed the recommendation to setup     XStream's security framework with a whitelist limited to the minimal required types. If you rely on     XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.
    (CVE-2021-21341)

  - XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16,     there is a vulnerability where the processed stream at unmarshalling time contains type information to     recreate the formerly written objects. XStream creates therefore new instances based on these type     information. An attacker can manipulate the processed input stream and replace or inject objects, that     result in a server-side forgery request. No user is affected, who followed the recommendation to setup     XStream's security framework with a whitelist limited to the minimal required types. If you rely on     XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.
    (CVE-2021-21342)

  - XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16,     there is a vulnerability where the processed stream at unmarshalling time contains type information to     recreate the formerly written objects. XStream creates therefore new instances based on these type     information. An attacker can manipulate the processed input stream and replace or inject objects, that     result in the deletion of a file on the local host. No user is affected, who followed the recommendation     to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely     on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.
    (CVE-2021-21343)

  - XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16,     there is a vulnerability which may allow a remote attacker to occupy a thread that consumes maximum CPU     time and will never return. No user is affected, who followed the recommendation to setup XStream's     security framework with a whitelist limited to the minimal required types. If you rely on XStream's     default blacklist of the Security Framework, you will have to use at least version 1.4.16.
    (CVE-2021-21348)

  - XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16,     there is a vulnerability which may allow a remote attacker to request data from internal resources that     are not publicly available only by manipulating the processed input stream. No user is affected, who     followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal     required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use     at least version 1.4.16. (CVE-2021-21349)

  - XStream is an open source java library to serialize objects to XML and back again. Versions prior to     1.4.19 may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or     parallel execution of such a payload resulting in a denial of service only by manipulating the processed     input stream. XStream 1.4.19 monitors and accumulates the time it takes to add elements to collections and     throws an exception if a set threshold is exceeded. Users are advised to upgrade as soon as possible.
    Users unable to upgrade may set the NO_REFERENCE mode to prevent recursion. See GHSA-rmr5-cpv2-vgjf for     further details on a workaround if an upgrade is not possible. (CVE-2021-43859)

  - Those using Xstream to seralize XML data may be vulnerable to Denial of Service attacks (DOS). If the     parser is running on user supplied input, an attacker may supply content that causes the parser to crash     by stackoverflow. This effect may support a denial of service attack. (CVE-2022-40151)

Note that Nessus has not tested for these issues but has instead relied on the package manager's report that the package is installed.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2023:3299 advisory.

  - google-oauth-client: missing PKCE support in accordance with the RFC for OAuth 2.0 for Native Apps can     lead to improper authorization (CVE-2020-7692)

  - kubernetes-client: Insecure deserialization in unmarshalYaml method (CVE-2021-4178)

  - jackson-databind: Possible DoS if using JDK serialization to serialize JsonNode (CVE-2021-46877)

  - springframework: Authorization Bypass in RegexRequestMatcher (CVE-2022-22978)

  - com.google.code.gson-gson: Deserialization of Untrusted Data in com.google.code.gson-gson (CVE-2022-25647)

  - xstream: Xstream to serialise XML data was vulnerable to Denial of Service attacks (CVE-2022-40151)

  - woodstox-core: woodstox to serialise XML data was vulnerable to Denial of Service attacks (CVE-2022-40152)

  - apache-commons-text: variable interpolation RCE (CVE-2022-42889)

  - jenkins-2-plugins/script-security: Sandbox bypass vulnerability in Script Security Plugin (CVE-2023-24422)

  - Apache Commons FileUpload: FileUpload DoS with excessive parts (CVE-2023-24998)

  - jenkins-2-plugins/JUnit: Stored XSS vulnerability in JUnit Plugin (CVE-2023-25761)

  - jenkins-2-plugins/pipeline-build-step: Stored XSS vulnerability in Pipeline: Build Step Plugin     (CVE-2023-25762)

  - Jenkins: Denial of Service attack (CVE-2023-27900, CVE-2023-27901)

  - Jenkins: Workspace temporary directories accessible through directory browser (CVE-2023-27902)

  - Jenkins: Information disclosure through error stack traces related to agents (CVE-2023-27904)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of xstream installed on the remote host is prior to 1.3.1-16. It is, therefore, affected by a vulnerability as referenced in the ALAS2-2024-2464 advisory.

  - Those using Xstream to seralize XML data may be vulnerable to Denial of Service attacks (DOS). If the     parser is running on user supplied input, an attacker may supply content that causes the parser to crash     by stackoverflow. This effect may support a denial of service attack. (CVE-2022-40151)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of Oracle WebCenter Portal installed on the remote host is missing a security patch from the April 2023 Critical Patch Update (CPU). It is, therefore, affected by multiple vulnerabilities:

  - Vulnerability in the Oracle WebCenter Portal product of Oracle Fusion Middleware (component: Security Framework     (Netty)).  Supported versions that are affected are 12.2.1.4.0. Netty project is an event-driven     asynchronous network application framework. In versions prior to 4.1.86.Final, a stack overflow error can be     raised when parsing a malformed crafted message due to an infinite recursion. This issue is patched in     version 4.1.86.Final. There is no workaround, except using a custom HaProxyMessageDecoder. (CVE-2022-41881)

  - Vulnerability in the Oracle WebCenter Portal product of Oracle Fusion Middleware (component: Security Framework     (XStream)).  Supported versions that are affected are 12.2.1.4.0. Those using Xstream to seralize     XML data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input,     an attacker may supply content that causes the parser to crash by stack overflow. This effect may support a denial     of service attack. (CVE-2022-40151)

  - Vulnerability in the Oracle WebCenter Portal product of Oracle Fusion Middleware (component: Security Framework     (jackson-databind)). Supported versions that are affected are 12.2.1.4.0. In FasterXML jackson-databind before     2.14.0-rc1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid     deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. Additional fix version in     2.13.4.1 and 2.12.17.1 (CVE-2022-42003)

Note that Nessus has not attempted to exploit this issue but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLED15 / SLED_SAP15 / SLES15 / SLES_SAP15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2023:1673-1 advisory.

  - Those using Xstream to seralize XML data may be vulnerable to Denial of Service attacks (DOS). If the     parser is running on user supplied input, an attacker may supply content that causes the parser to crash     by stackoverflow. This effect may support a denial of service attack. (CVE-2022-40151)

  - XStream serializes Java objects to XML and back again. Versions prior to 1.4.20 may allow a remote     attacker to terminate the application with a stack overflow error, resulting in a denial of service only     via manipulation the processed input stream. The attack uses the hash code implementation for collections     and maps to force recursive hash calculation causing a stack overflow. This issue is patched in version     1.4.20 which handles the stack overflow and raises an InputManipulationException instead. A potential     workaround for users who only use HashMap or HashSet and whose XML refers these only as default map or     set, is to change the default implementation of java.util.Map and java.util per the code example in the     referenced advisory. However, this implies that your application does not care about the implementation of     the map and all elements are comparable. (CVE-2022-41966)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the 9d9e9439-959e-11ed-b464-b42e991fc52e advisory.

  - Those using Xstream to seralize XML data may be vulnerable to Denial of Service attacks (DOS). If the     parser is running on user supplied input, an attacker may supply content that causes the parser to crash     by stackoverflow. This effect may support a denial of service attack. (CVE-2022-40151)

  - XStream serializes Java objects to XML and back again. Versions prior to 1.4.20 may allow a remote     attacker to terminate the application with a stack overflow error, resulting in a denial of service only     via manipulation the processed input stream. The attack uses the hash code implementation for collections     and maps to force recursive hash calculation causing a stack overflow. This issue is patched in version     1.4.20 which handles the stack overflow and raises an InputManipulationException instead. A potential     workaround for users who only use HashMap or HashSet and whose XML refers these only as default map or     set, is to change the default implementation of java.util.Map and java.util per the code example in the     referenced advisory. However, this implies that your application does not care about the implementation of     the map and all elements are comparable. (CVE-2022-41966)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
196408	RHEL 7 : xstream (Unpatched Vulnerability)	Nessus	Red Hat Local Security Checks	critical
194250	RHEL 8 : jenkins and jenkins-2-plugins (RHSA-2023:3299)	Nessus	Red Hat Local Security Checks	critical
190694	Amazon Linux 2 : xstream (ALAS-2024-2464)	Nessus	Amazon Linux Local Security Checks	high
174540	Oracle WebCenter Portal Multiple Vulnerabilities (April 2023 CPU)	Nessus	Misc.	medium
173696	SUSE SLED15 / SLES15 / openSUSE 15 Security Update : xstream (SUSE-SU-2023:1673-1)	Nessus	SuSE Local Security Checks	high
170077	FreeBSD : security/keycloak -- Multiple possible DoS attacks (9d9e9439-959e-11ed-b464-b42e991fc52e)	Nessus	FreeBSD Local Security Checks	high

Detections

Analytics

CVE-2022-40151

high

Tenable Plugins

critical

critical

high

medium

high

high