CVE-2024-47072: 
Java vulnerability analysis and mitigation

XStream, a Java library for object serialization to XML, was found to contain a high-severity denial-of-service vulnerability (CVE-2024-47072) with a CVSS score of 7.5. The vulnerability affects all versions up to and including 1.4.20 when using XStream's BinaryStreamDriver. The issue was discovered by Alexis Challande of Trail of Bits and was publicly disclosed on November 7, 2024 (XStream Advisory).

The vulnerability stems from insecure handling of string value IDs during the deserialization process within the XStream BinaryStreamDriver. The driver uses a mechanism to map string values to IDs for optimization purposes, but a flaw in the reader's implementation allows for endless recursion during the ID mapping process. When unmarshalling data, the reader's implementation uses a simple one-time recursion after reading a mapping token to process the next normal token of the data stream, which can be exploited to trigger an endless recursion loop (Security Online).

The vulnerability allows remote attackers to terminate applications using XStream with BinaryStreamDriver by triggering a stack overflow error, resulting in a denial of service. The attack requires no user interaction and can be executed remotely, leading to high availability impact while having no effect on confidentiality or integrity (XStream Doc).

The primary mitigation is to upgrade to XStream version 1.4.21, which detects the manipulation in the binary input stream and raises an InputManipulationException instead of crashing. For users unable to upgrade immediately, a temporary workaround involves implementing error handling to catch the StackOverflowError in the client code calling XStream. However, this is only a stopgap measure and not a complete solution (XStream Advisory).