Vulnerability Name:

CVE-2017-7957 (CCN-125800)

Assigned:2017-04-19
Published:2017-04-19
Updated:2019-03-26
Summary:XStream through 1.4.9, when a certain denyTypes workaround is not used, mishandles attempts to create an instance of the primitive type 'void' during unmarshalling, leading to a remote application crash, as demonstrated by an xstream.fromXML("<void/>") call.
CVSS v3 Severity:7.5 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
6.7 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:W/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): High
5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
4.7 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:W/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Low
CVSS v2 Severity:5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Partial
5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Partial
Vulnerability Type:CWE-20
Vulnerability Consequences:Denial of Service
References:Source: MITRE
Type: CNA
CVE-2017-7957

Source: DEBIAN
Type: Third Party Advisory
DSA-3841

Source: CCN
Type: IBM Security Bulletin 738465 (Contact Optimization)
Open Source XStream Vulnerabilities Affect IBM Contact Optimization (CVE-2017-7957)

Source: CCN
Type: IBM Security Bulletin 738737 (Marketing Platform)
Open Source XStream Vulnerabilities Affect IBM Marketing Platform and IBM Marketing Operations (CVE-2017-7957)

Source: CCN
Type: IBM Security Bulletin 967469 (Security Privileged Identity Manager)
IBM Security Privileged Identity Manager is affected by multiple security vulnerabilities

Source: CCN
Type: IBM Security Bulletin 2004066 (Notes)
IBM Notes is affected by Open Source XStream Vulnerabilities

Source: CCN
Type: IBM Security Bulletin 2004784 (InfoSphere Information Server)
A vulnerability in XStream affects IBM InfoSphere Information Governance components

Source: CCN
Type: IBM Security Bulletin 2005235 (Notes)
Fix Available for a Denial of Service Vulnerability in IBM Notes (CVE-2017-7957)

Source: CCN
Type: IBM Security Bulletin 2007445 (Tivoli Netcool Configuration Manager)
IBM Tivoli Netcool Configuration Manager (ITNCM) is affected by a XStream vulnerability

Source: CCN
Type: IBM Security Bulletin 2008217 (Security QRadar SIEM)
Open Source XStream as used in IBM QRadar SIEM is vulnerable to Denial of Service. (CVE-2017-7957)

Source: CCN
Type: IBM Security Bulletin 2015539 (PredictiveInsight)
Multiple Security Vulnerabilities Impact IBM Predictive Insights

Source: CCN
Type: IBM Security Bulletin 2015573 (Campaign)
Open Source XStream Vulnerabilities Impact on IBM Campaign (CVE-2017-7957)

Source: BID
Type: Third Party Advisory, VDB Entry
100687

Source: CCN
Type: BID-100687
IBM QRadar SIEM CVE-2017-7957 Denial of Service Vulnerability

Source: SECTRACK
Type: Third Party Advisory, VDB Entry
1039499

Source: CCN
Type: XStream Web site
CVE-2017-7957: XStream can cause a Denial of Service when unmarshalling void

Source: CONFIRM
Type: Vendor Advisory
http://x-stream.github.io/CVE-2017-7957.html

Source: REDHAT
Type: Third Party Advisory
RHSA-2017:1832

Source: REDHAT
Type: Third Party Advisory
RHSA-2017:2888

Source: REDHAT
Type: Third Party Advisory
RHSA-2017:2889

Source: XF
Type: Third Party Advisory, VDB Entry
xstream-cve20177957-dos(125800)

Source: XF
Type: UNKNOWN
xstream-cve20177957-dos(125800)

Source: CONFIRM
Type: Permissions Required
https://www-prd-trops.events.ibm.com/node/715749

Source: CCN
Type: IBM Security Bulletin 0872142 (Security Identity Governance and Intelligence)
IBM has announced a release for IBM Security Identity Governance and Intelligence in response to multiple security vulnerabilities

Source: CCN
Type: IBM Security Bulletin 3106029 (StoredIQ)
Multiple Vulnerabilities identified in IBM StoredIQ

Source: CCN
Type: IBM Security Bulletin 6403331 (Security Guardium Data Encryption)
Multiple Vulnerabilities in IBM Guardium Data Encryption (GDE)

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2017-7957

Vulnerable Configuration:Configuration 1:
  • cpe:/a:xstream_project:xstream:*:*:*:*:*:*:*:* (Version <= 1.4.9)

    • Configuration 2:
  • cpe:/o:debian:debian_linux:8.0:*:*:*:*:*:*:*
  • OR cpe:/o:debian:debian_linux:9.0:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:xstream_project:xstream:1.4.9:*:*:*:*:*:*:*
  • AND
  • cpe:/a:ibm:infosphere_information_server:9.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:campaign:8.6:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:campaign:9.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:campaign:9.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:qradar_security_information_and_event_manager:7.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:infosphere_information_server:11.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:tivoli_netcool_configuration_manager:6.4.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:lotus_notes:8.5.3.6:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:predictiveinsight:8.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:predictiveinsight:8.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:predictiveinsight:8.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:predictiveinsight:8.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:predictiveinsight:8.5:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:predictiveinsight:8.6:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:predictiveinsight:9.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:campaign:9.1.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_collaborative_lifecycle_management:6.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:infosphere_information_server:11.5:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_identity_governance_and_intelligence:5.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:lotus_notes:8.5:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:lotus_notes:8.5.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:lotus_notes:8.5.1.5:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:lotus_notes:8.5.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:lotus_notes:8.5.2.4:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:lotus_notes:8.5.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:lotus_notes:9.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_collaborative_lifecycle_management:6.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:campaign:9.1.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_identity_governance_and_intelligence:5.2.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:marketing_platform:9.1.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:lotus_notes:9.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_collaborative_lifecycle_management:6.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_quality_manager:6.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_quality_manager:6.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:campaign:10.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:tivoli_netcool_configuration_manager:6.4.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_collaborative_lifecycle_management:6.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:qradar_security_information_and_event_manager:7.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_quality_manager:6.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_quality_manager:6.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_collaborative_lifecycle_management:6.0.4:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:lotus_notes:9.0.1.8:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:lotus_notes:8.5.2.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:lotus_notes:8.5.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:lotus_notes:8.5.1.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:lotus_notes:8.5.3.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:lotus_notes:9.0.1.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_collaborative_lifecycle_management:6.0.5:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:contact_optimization:9.1.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_quality_manager:6.0.4:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_quality_manager:6.0.5:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_collaborative_lifecycle_management:5.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_quality_manager:5.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_identity_governance_and_intelligence:5.2.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_identity_governance_and_intelligence:5.2.2.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_identity_governance_and_intelligence:5.2.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_identity_governance_and_intelligence:5.2.3.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_identity_governance_and_intelligence:5.2.3.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_identity_governance_and_intelligence:5.2.4:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:contact_optimization:9.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:contact_optimization:10.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:marketing_platform:9.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:marketing_platform:10.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:storediq:7.6.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_identity_governance_and_intelligence:5.2.4.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_privileged_identity_manager:2.1.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_guardium_data_encryption:3.0.0.2:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:8073
    P
    		xstream-1.4.20-150200.3.25.1 on GA media (Moderate)
    2023-06-20
    oval:org.opensuse.security:def:3432
    P
    		apache2-mod_jk-1.2.40-7.3.1 on GA media (Moderate)
    2022-06-28
    oval:org.opensuse.security:def:95062
    P
    		xstream-1.4.19-3.18.2 on GA media (Moderate)
    2022-06-22
    oval:org.opensuse.security:def:113607
    P
    		xstream-1.4.18-1.1 on GA media (Moderate)
    2022-01-17
    oval:org.opensuse.security:def:106990
    P
    		xstream-1.4.18-1.1 on GA media (Moderate)
    2021-10-01
    oval:com.ubuntu.artful:def:20177957000
    V
    		CVE-2017-7957 on Ubuntu 17.10 (artful) - medium.
    2017-04-29
    oval:com.ubuntu.xenial:def:20177957000
    V
    		CVE-2017-7957 on Ubuntu 16.04 LTS (xenial) - medium.
    2017-04-29
    oval:com.ubuntu.bionic:def:20177957000
    V
    		CVE-2017-7957 on Ubuntu 18.04 LTS (bionic) - medium.
    2017-04-29
    oval:com.ubuntu.bionic:def:201779570000000
    V
    		CVE-2017-7957 on Ubuntu 18.04 LTS (bionic) - medium.
    2017-04-29
    oval:com.ubuntu.precise:def:20177957000
    V
    		CVE-2017-7957 on Ubuntu 12.04 LTS (precise) - medium.
    2017-04-29
    oval:com.ubuntu.xenial:def:201779570000000
    V
    		CVE-2017-7957 on Ubuntu 16.04 LTS (xenial) - medium.
    2017-04-29
    oval:com.ubuntu.trusty:def:20177957000
    V
    		CVE-2017-7957 on Ubuntu 14.04 LTS (trusty) - medium.
    2017-04-29
    BACK
    xstream_project xstream *
    debian debian linux 8.0
    debian debian linux 9.0
    xstream_project xstream 1.4.9
    ibm infosphere information server 9.1
    ibm campaign 8.6
    ibm campaign 9.0
    ibm campaign 9.1
    ibm qradar security information and event manager 7.2
    ibm infosphere information server 11.3
    ibm tivoli netcool configuration manager 6.4.1
    ibm lotus notes 8.5.3.6
    ibm predictiveinsight 8.0
    ibm predictiveinsight 8.1
    ibm predictiveinsight 8.2
    ibm predictiveinsight 8.3
    ibm predictiveinsight 8.5
    ibm predictiveinsight 8.6
    ibm predictiveinsight 9.0
    ibm campaign 9.1.1
    ibm rational collaborative lifecycle management 6.0
    ibm infosphere information server 11.5
    ibm security identity governance and intelligence 5.2
    ibm lotus notes 8.5
    ibm lotus notes 8.5.1
    ibm lotus notes 8.5.1.5
    ibm lotus notes 8.5.2
    ibm lotus notes 8.5.2.4
    ibm lotus notes 8.5.3
    ibm lotus notes 9.0.1
    ibm rational collaborative lifecycle management 6.0.1
    ibm campaign 9.1.2
    ibm security identity governance and intelligence 5.2.1
    ibm marketing platform 9.1.2
    ibm lotus notes 9.0
    ibm rational collaborative lifecycle management 6.0.2
    ibm rational quality manager 6.0
    ibm rational quality manager 6.0.1
    ibm campaign 10.0
    ibm tivoli netcool configuration manager 6.4.2
    ibm rational collaborative lifecycle management 6.0.3
    ibm qradar security information and event manager 7.3
    ibm rational quality manager 6.0.2
    ibm rational quality manager 6.0.3
    ibm rational collaborative lifecycle management 6.0.4
    ibm lotus notes 9.0.1.8
    ibm lotus notes 8.5.2.1
    ibm lotus notes 8.5.0.1
    ibm lotus notes 8.5.1.1
    ibm lotus notes 8.5.3.1
    ibm lotus notes 9.0.1.1
    ibm rational collaborative lifecycle management 6.0.5
    ibm contact optimization 9.1.2
    ibm rational quality manager 6.0.4
    ibm rational quality manager 6.0.5
    ibm rational collaborative lifecycle management 5.0.1
    ibm rational quality manager 5.0.1
    ibm security identity governance and intelligence 5.2.2
    ibm security identity governance and intelligence 5.2.2.1
    ibm security identity governance and intelligence 5.2.3
    ibm security identity governance and intelligence 5.2.3.1
    ibm security identity governance and intelligence 5.2.3.2
    ibm security identity governance and intelligence 5.2.4
    ibm contact optimization 9.1.0
    ibm contact optimization 10.1
    ibm marketing platform 9.1.0
    ibm marketing platform 10.1
    ibm storediq 7.6.0
    ibm security identity governance and intelligence 5.2.4.1
    ibm security privileged identity manager 2.1.1
    ibm security guardium data encryption 3.0.0.2