CVE-2022-41966: 
Java vulnerability analysis and mitigation

XStream, a Java library that serializes objects to XML and back, was found to contain a vulnerability (CVE-2022-41966) in versions prior to 1.4.20. The vulnerability was discovered by Lai Han of nsfocus security team and was disclosed in December 2022. The affected software allows remote attackers to cause a Denial of Service (DoS) condition through manipulation of the processed input stream (XStream CVE, NVD).

The vulnerability exploits the hash code implementation for collections and maps to force recursive hash calculation, causing a stack overflow. The affected Java runtime types include java.util.HashMap, java.util.HashSet, java.util.Hashtable, java.util.LinkedHashMap, and java.util.LinkedHashSet. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (NVD, NetApp Advisory).

When successfully exploited, this vulnerability allows remote attackers to terminate the application with a stack overflow error, resulting in a denial of service condition. The attack specifically targets the application's ability to process XML data, affecting the availability of the service (XStream CVE, GitHub Advisory).

The vulnerability is patched in XStream version 1.4.20, which handles the stack overflow and raises an InputManipulationException instead. For users unable to upgrade, several workarounds are available: catching the StackOverflowError in client code, using NO_REFERENCE mode for applications without referenced elements, denying specific Java collection types using the security framework, or changing the default implementation of java.util.Map and java.util.Set to their Tree variants (GitHub Advisory, XStream CVE).