CVE-2023-26470: 
Java vulnerability analysis and mitigation

CVE-2023-26470 affects XWiki Platform, a generic wiki platform offering runtime services for applications. The vulnerability was discovered in versions prior to 14.0-rc-1 and was patched in version 14.0-rc-1. The issue was disclosed on March 1, 2023, and allows an attacker to make the farm unusable by manipulating object numbers in documents (GitHub Advisory).

The vulnerability stems from how XWiki Platform stores document objects. When creating an object with a large object number (e.g., 67108863), the system stores null entries for all object numbers that have no object associated. Each null entry consumes a 64-bit pointer, resulting in significant memory usage (512MiB per document copy for object number 67108863). The vulnerability has a CVSS v3.1 score of 5.7 (Moderate) with the following vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H (GitHub Advisory).

The vulnerability can lead to persistent Out of Memory (OOM) errors when manipulating affected documents. With a typical memory limit of 1GiB, saving a document might work, but any attempt to display the document or part of it creates a clone which results in OOM errors. This makes the affected document and related functionalities inaccessible. Object numbers close to 2³¹ could potentially consume up to 16GiB per document copy (Jira Issue).

The vulnerability was patched in XWiki Platform version 14.0-rc-1 by improving the xobject memory storage in XWikiDocument. The fix involved implementing a new storage mechanism using Map instead of storing null entries. No workarounds are available for unpatched versions (GitHub Advisory).