CVE-2017-7957
It was found that XStream contains a vulnerability that allows a maliciously crafted file to be parsed successfully which could cause an application crash. The crash occurs if the file that is being fed into XStream input stream contains an instances of the primitive type 'void'. An attacker could use this flaw to create a denial of service on the target system.
Find out more about CVE-2017-7957 from the MITRE CVE dictionary dictionary and NIST NVD.
CVSS v3 metrics
| CVSS3 Base Score | 5.9 |
|---|---|
| CVSS3 Base Metrics | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H |
| Attack Vector | Network |
| Attack Complexity | High |
| Privileges Required | None |
| User Interaction | None |
| Scope | Unchanged |
| Confidentiality | None |
| Integrity Impact | None |
| Availability Impact | High |
Red Hat Security Errata
| Platform | Errata | Release Date |
|---|---|---|
| Red Hat JBoss Fuse 6.3 | RHSA-2017:1832 | 2017-08-10 |
| Red Hat JBoss A-MQ 6.3 | RHSA-2017:1832 | 2017-08-10 |
| Red Hat JBoss BRMS 6.4 | RHSA-2017:2888 | 2017-10-12 |
| Red Hat JBoss BPMS 6.4 | RHSA-2017:2889 | 2017-10-12 |
Affected Packages State
| Platform | Package | State |
|---|---|---|
| Red Hat Single Sign-On 7 | xstream | Will not fix |
| Red Hat Satellite 6 | xstream | Not affected |
| Red Hat OpenShift Enterprise 2 | xstream | Not affected |
| Red Hat JBoss Portal Platform 6 | xstream | Will not fix |
| Red Hat JBoss Fuse Service Works 6 | xstream | Will not fix |
| Red Hat JBoss Enterprise SOA Platform 5 | xstream | Will not fix |
| Red Hat JBoss Data Grid 7 | xstream | Will not fix |
| Red Hat JBoss Data Grid 6 | xstream | Will not fix |
| Red Hat Enterprise Linux 7 | xstream | Will not fix |
| RHEV Manager 3 | jasperreports-server-pro | Will not fix |