CWE
78 502
Advisory Published
CVE Published
CVE Published
Updated

CVE-2020-26217: Remote Code Execution in XStream

First published: Mon Nov 16 2020(Updated: )

A flaw was found in xstream. An unsafe deserialization of user-supplied XML, in conjunction with relying on the default deny list, allows a remote attacker to perform a variety of attacks including a remote code execution of arbitrary code in the context of the JVM running the XStream application. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

Credit: security-advisories@github.com security-advisories@github.com

Affected SoftwareAffected VersionHow to fix
redhat/xstream<0:1.3.1-12.el7_9
0:1.3.1-12.el7_9
redhat/xstream<1.4.14
1.4.14
Xstream Project Xstream<1.4.14
Debian Debian Linux=9.0
Debian Debian Linux=10.0
Netapp Snapmanager Sap
Netapp Snapmanager Oracle
Apache ActiveMQ=5.15.4
Oracle Banking Cash Management=14.2
Oracle Banking Cash Management=14.3
Oracle Banking Cash Management=14.5
Oracle Banking Corporate Lending Process Management=14.2
Oracle Banking Corporate Lending Process Management=14.3
Oracle Banking Corporate Lending Process Management=14.5
Oracle Banking Credit Facilities Process Management=14.2
Oracle Banking Credit Facilities Process Management=14.3
Oracle Banking Credit Facilities Process Management=14.5
Oracle Banking Platform=2.4.0
Oracle Banking Platform=2.7.1
Oracle Banking Platform=2.9.0
Oracle Banking Supply Chain Finance=14.2
Oracle Banking Supply Chain Finance=14.3
Oracle Banking Supply Chain Finance=14.5
Oracle Banking Trade Finance Process Management=14.2
Oracle Banking Trade Finance Process Management=14.3
Oracle Banking Trade Finance Process Management=14.5
Oracle Banking Virtual Account Management=14.2.0
Oracle Banking Virtual Account Management=14.3.0
Oracle Banking Virtual Account Management=14.5.0
Oracle Business Activity Monitoring=11.1.1.9.0
Oracle Business Activity Monitoring=12.2.1.3.0
Oracle Business Activity Monitoring=12.2.1.4.0
Oracle Communications Policy Management=12.5.0
Oracle Endeca Information Discovery Studio=3.2.0.0
Oracle Retail Xstore Point of Service=16.0.6
Oracle Retail Xstore Point of Service=17.0.4
Oracle Retail Xstore Point of Service=18.0.3
Oracle Retail Xstore Point of Service=19.0.2
IBM RDNG<=6.0.2
IBM DOORS Next<=7.0
IBM DOORS Next<=7.0.1
IBM DOORS Next<=7.0.2
IBM RDNG<=6.0.6.1
IBM RDNG<=6.0.6
IBM Pub<=7.0.1
IBM Pub<=7.0.2
IBM Pub<=7.0
IBM EWM<=7.0.2
IBM EWM<=7.0.1
IBM RTC<=6.0.2
IBM RTC<=6.0.6.1
IBM EWM<=7.0
IBM RTC<=6.0.6
IBM Global Configuration Management<=All
IBM ETM<=7.0.2
IBM RQM<=6.0.6.1
IBM ETM<=7.0.1
IBM RQM<=6.0.6
IBM ETM<=7.0.0
IBM RQM<=6.0.2
IBM Engineering Requirements Quality Assistant On-Premises<=All
debian/libxstream-java
1.4.15-3+deb11u2
1.4.20-1
1.4.21-1

Remedy

Depending on the version of XStream used there are various usage patterns that mitigate this flaw, though we would strongly recommend using the allow list approach if at all possible as there are likely more class combinations the deny list approach may not address. Allow list approach ```java XStream xstream = new XStream(); XStream.setupDefaultSecurity(xstream); xstream.allowTypesByWildcard(new String[] {"com.misc.classname"}) ``` Deny list for XStream 1.4.13 ```java xstream.denyTypes(new String[]{ "javax.imageio.ImageIO$ContainsFilter" }); xstream.denyTypes(new Class[]{ java.lang.ProcessBuilder.class }); ``` Deny list for XStream 1.4.7 -> 1.4.12 ```java xstream.denyTypes(new String[]{ "javax.imageio.ImageIO$ContainsFilter" }); xstream.denyTypes(new Class[]{ java.lang.ProcessBuilder.class, java.beans.EventHandler.class, java.lang.ProcessBuilder.class, java.lang.Void.class, void.class }); ``` Deny list for versions prior to XStream 1.4.7 ```java xstream.registerConverter(new Converter() { public boolean canConvert(Class type) { return type != null && (type == java.beans.EventHandler.class || type == java.lang.ProcessBuilder.class || type == java.lang.Void.class || void.class || type.getName().equals("javax.imageio.ImageIO$ContainsFilter") || Proxy.isProxy(type)); } public Object unmarshal(HierarchicalStreamReader reader, UnmarshallingContext context) { throw new ConversionException("Unsupported type due to security reasons."); } public void marshal(Object source, HierarchicalStreamWriter writer, MarshallingContext context) { throw new ConversionException("Unsupported type due to security reasons."); } }, XStream.PRIORITY_LOW); ```

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Reference Links

Frequently Asked Questions

  • What is CVE-2020-26217?

    CVE-2020-26217 is a vulnerability in XStream before version 1.4.14 that allows remote code execution.

  • How severe is CVE-2020-26217?

    CVE-2020-26217 has a severity rating of critical (9 out of 10).

  • How can a remote attacker exploit CVE-2020-26217?

    A remote attacker can exploit CVE-2020-26217 by manipulating the processed input stream to run arbitrary shell commands.

  • Which systems are affected by CVE-2020-26217?

    Systems using XStream before version 1.4.14 and relying on blocklists are affected by CVE-2020-26217.

  • How can I fix CVE-2020-26217?

    To fix CVE-2020-26217, update XStream to version 1.4.14 or apply the appropriate patches provided by the vendor.

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203