CVE-2017-7957 — HIGH (7.5) — White Hats Nepal

Q: How severe is CVE-2017-7957?

CVE-2017-7957 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2017-7957?

Check the references section above for vendor advisories and patch information. Affected products include: Redhat Fuse, Redhat Jboss Middleware, Xstream Xstream, Debian Debian Linux.

Vulnerability Description

XStream through 1.4.9, when a certain denyTypes workaround is not used, mishandles attempts to create an instance of the primitive type 'void' during unmarshalling, leading to a remote application crash, as demonstrated by an xstream.fromXML("<void/>") call.

CVSS Score

7.5

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

NONE

Availability

HIGH

Affected Products

Vendor	Product	Versions
Redhat	Fuse	1.0
Redhat	Jboss Middleware	1
Xstream	Xstream	<= 1.4.9
Debian	Debian Linux	8.0

Related Weaknesses (CWE)

CWE-20

References

http://www.debian.org/security/2017/dsa-3841Mailing ListThird Party Advisory
http://www.securityfocus.com/bid/100687Broken LinkThird Party AdvisoryVDB Entry
http://www.securitytracker.com/id/1039499Broken LinkThird Party AdvisoryVDB Entry
http://x-stream.github.io/CVE-2017-7957.htmlVendor Advisory
https://access.redhat.com/errata/RHSA-2017:1832Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:2888Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:2889Third Party Advisory
https://exchange.xforce.ibmcloud.com/vulnerabilities/125800Third Party AdvisoryVDB Entry
https://www-prd-trops.events.ibm.com/node/715749Broken LinkPermissions Required
http://www.debian.org/security/2017/dsa-3841Mailing ListThird Party Advisory
http://www.securityfocus.com/bid/100687Broken LinkThird Party AdvisoryVDB Entry
http://www.securitytracker.com/id/1039499Broken LinkThird Party AdvisoryVDB Entry
http://x-stream.github.io/CVE-2017-7957.htmlVendor Advisory
https://access.redhat.com/errata/RHSA-2017:1832Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:2888Third Party Advisory

FAQ

What is CVE-2017-7957?

CVE-2017-7957 is a vulnerability with a CVSS score of 7.5 (HIGH). XStream through 1.4.9, when a certain denyTypes workaround is not used, mishandles attempts to create an instance of the primitive type 'void' during unmarshalling, leading to a remote application cra...

How severe is CVE-2017-7957?

CVE-2017-7957 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2017-7957?

Check the references section above for vendor advisories and patch information. Affected products include: Redhat Fuse, Redhat Jboss Middleware, Xstream Xstream, Debian Debian Linux.