CVE-2020-26217: Remote Code Execution in XStream
First published: Mon Nov 16 2020(Updated: )
A flaw was found in xstream. An unsafe deserialization of user-supplied XML, in conjunction with relying on the default deny list, allows a remote attacker to perform a variety of attacks including a remote code execution of arbitrary code in the context of the JVM running the XStream application. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Credit: security-advisories@github.com security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/xstream | <0:1.3.1-12.el7_9 | 0:1.3.1-12.el7_9 |
| redhat/xstream | <1.4.14 | 1.4.14 |
| Xstream Project Xstream | <1.4.14 | |
| Debian Debian Linux | =9.0 | |
| Debian Debian Linux | =10.0 | |
| Netapp Snapmanager Sap | ||
| Netapp Snapmanager Oracle | ||
| Apache ActiveMQ | =5.15.4 | |
| Oracle Banking Cash Management | =14.2 | |
| Oracle Banking Cash Management | =14.3 | |
| Oracle Banking Cash Management | =14.5 | |
| Oracle Banking Corporate Lending Process Management | =14.2 | |
| Oracle Banking Corporate Lending Process Management | =14.3 | |
| Oracle Banking Corporate Lending Process Management | =14.5 | |
| Oracle Banking Credit Facilities Process Management | =14.2 | |
| Oracle Banking Credit Facilities Process Management | =14.3 | |
| Oracle Banking Credit Facilities Process Management | =14.5 | |
| Oracle Banking Platform | =2.4.0 | |
| Oracle Banking Platform | =2.7.1 | |
| Oracle Banking Platform | =2.9.0 | |
| Oracle Banking Supply Chain Finance | =14.2 | |
| Oracle Banking Supply Chain Finance | =14.3 | |
| Oracle Banking Supply Chain Finance | =14.5 | |
| Oracle Banking Trade Finance Process Management | =14.2 | |
| Oracle Banking Trade Finance Process Management | =14.3 | |
| Oracle Banking Trade Finance Process Management | =14.5 | |
| Oracle Banking Virtual Account Management | =14.2.0 | |
| Oracle Banking Virtual Account Management | =14.3.0 | |
| Oracle Banking Virtual Account Management | =14.5.0 | |
| Oracle Business Activity Monitoring | =11.1.1.9.0 | |
| Oracle Business Activity Monitoring | =12.2.1.3.0 | |
| Oracle Business Activity Monitoring | =12.2.1.4.0 | |
| Oracle Communications Policy Management | =12.5.0 | |
| Oracle Endeca Information Discovery Studio | =3.2.0.0 | |
| Oracle Retail Xstore Point of Service | =16.0.6 | |
| Oracle Retail Xstore Point of Service | =17.0.4 | |
| Oracle Retail Xstore Point of Service | =18.0.3 | |
| Oracle Retail Xstore Point of Service | =19.0.2 | |
| IBM RDNG | <=6.0.2 | |
| IBM DOORS Next | <=7.0 | |
| IBM DOORS Next | <=7.0.1 | |
| IBM DOORS Next | <=7.0.2 | |
| IBM RDNG | <=6.0.6.1 | |
| IBM RDNG | <=6.0.6 | |
| IBM Pub | <=7.0.1 | |
| IBM Pub | <=7.0.2 | |
| IBM Pub | <=7.0 | |
| IBM EWM | <=7.0.2 | |
| IBM EWM | <=7.0.1 | |
| IBM RTC | <=6.0.2 | |
| IBM RTC | <=6.0.6.1 | |
| IBM EWM | <=7.0 | |
| IBM RTC | <=6.0.6 | |
| IBM Global Configuration Management | <=All | |
| IBM ETM | <=7.0.2 | |
| IBM RQM | <=6.0.6.1 | |
| IBM ETM | <=7.0.1 | |
| IBM RQM | <=6.0.6 | |
| IBM ETM | <=7.0.0 | |
| IBM RQM | <=6.0.2 | |
| IBM Engineering Requirements Quality Assistant On-Premises | <=All | |
| debian/libxstream-java | 1.4.15-3+deb11u2 1.4.20-1 1.4.20-2 |
Remedy
Depending on the version of XStream used there are various usage patterns that mitigate this flaw, though we would strongly recommend using the allow list approach if at all possible as there are likely more class combinations the deny list approach may not address. Allow list approach ```java XStream xstream = new XStream(); XStream.setupDefaultSecurity(xstream); xstream.allowTypesByWildcard(new String[] {"com.misc.classname"}) ``` Deny list for XStream 1.4.13 ```java xstream.denyTypes(new String[]{ "javax.imageio.ImageIO$ContainsFilter" }); xstream.denyTypes(new Class[]{ java.lang.ProcessBuilder.class }); ``` Deny list for XStream 1.4.7 -> 1.4.12 ```java xstream.denyTypes(new String[]{ "javax.imageio.ImageIO$ContainsFilter" }); xstream.denyTypes(new Class[]{ java.lang.ProcessBuilder.class, java.beans.EventHandler.class, java.lang.ProcessBuilder.class, java.lang.Void.class, void.class }); ``` Deny list for versions prior to XStream 1.4.7 ```java xstream.registerConverter(new Converter() { public boolean canConvert(Class type) { return type != null && (type == java.beans.EventHandler.class || type == java.lang.ProcessBuilder.class || type == java.lang.Void.class || void.class || type.getName().equals("javax.imageio.ImageIO$ContainsFilter") || Proxy.isProxy(type)); } public Object unmarshal(HierarchicalStreamReader reader, UnmarshallingContext context) { throw new ConversionException("Unsupported type due to security reasons."); } public void marshal(Object source, HierarchicalStreamWriter writer, MarshallingContext context) { throw new ConversionException("Unsupported type due to security reasons."); } }, XStream.PRIORITY_LOW); ```
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2020-26217 https://nvd.nist.gov/vuln/detail/CVE-2020-26217
- https://bugzilla.redhat.com/show_bug.cgi?id=1898907
- https://access.redhat.com/errata/RHSA-2021:0433
- https://access.redhat.com/errata/RHSA-2021:0106
- https://access.redhat.com/errata/RHSA-2021:0162
- https://access.redhat.com/errata/RHSA-2021:3205
- https://access.redhat.com/errata/RHSA-2021:4767
- https://access.redhat.com/errata/RHSA-2021:0384
- https://access.redhat.com/errata/RHSA-2021:5134
- https://access.redhat.com/errata/RHSA-2021:0105
- https://access.redhat.com/security/cve/cve-2020-26217
- https://github.com/x-stream/xstream/security/advisories/GHSA-mw36-7c6c-q4q2
- https://github.com/x-stream/xstream/commit/0fec095d534126931c99fd38e9c6d41f5c685c1a
- https://x-stream.github.io/CVE-2020-26217.html
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1898944
- https://access.redhat.com/support/policy/updates/jboss_notes
- https://access.redhat.com/documentation/en-us/red_hat_jboss_fuse/6.3/html/apache_camel_component_reference/idu-xstream
- https://github.com/jenkinsci/jep/blob/master/jep/200/README.adoc
- https://www.jenkins.io/security/advisory/2017-02-01/
- https://access.redhat.com/security/cve/CVE-2017-2608
- https://lists.apache.org/thread.html/r2de526726e7f4db4a7cb91b7355070779f51a84fd985c6529c2f4e9e@%3Cissues.activemq.apache.org%3E
- https://lists.apache.org/thread.html/r7c9fc255edc0b9cd9567093d131f6d33fde4c662aaf912460ef630e9@%3Ccommits.camel.apache.org%3E
- https://lists.apache.org/thread.html/r826a006fda71cc96fc87b6eca4b5d195f19a292ad36cea501682c38c@%3Cissues.activemq.apache.org%3E
- https://lists.apache.org/thread.html/redde3609b89b2a4ff18b536a06ef9a77deb93d47fda8ed28086fa8c3@%3Cissues.activemq.apache.org%3E
- https://lists.debian.org/debian-lts-announce/2020/12/msg00001.html
- https://security.netapp.com/advisory/ntap-20210409-0004/
- https://www.debian.org/security/2020/dsa-4811
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://exchange.xforce.ibmcloud.com/vulnerabilities/192210
- https://www.ibm.com/support/pages/node/6417585 (Advisory)
- https://lists.apache.org/thread.html/redde3609b89b2a4ff18b536a06ef9a77deb93d47fda8ed28086fa8c3%40%3Cissues.activemq.apache.org%3E
- https://lists.apache.org/thread.html/r826a006fda71cc96fc87b6eca4b5d195f19a292ad36cea501682c38c%40%3Cissues.activemq.apache.org%3E
- https://lists.apache.org/thread.html/r2de526726e7f4db4a7cb91b7355070779f51a84fd985c6529c2f4e9e%40%3Cissues.activemq.apache.org%3E
- https://lists.apache.org/thread.html/r7c9fc255edc0b9cd9567093d131f6d33fde4c662aaf912460ef630e9%40%3Ccommits.camel.apache.org%3E
- https://launchpad.net/bugs/cve/CVE-2020-26217
- https://security-tracker.debian.org/tracker/CVE-2020-26217
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26217
- https://nvd.nist.gov/vuln/detail/CVE-2020-26217
- https://ubuntu.com/security/CVE-2020-26217
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is CVE-2020-26217?
CVE-2020-26217 is a vulnerability in XStream before version 1.4.14 that allows remote code execution.
How severe is CVE-2020-26217?
CVE-2020-26217 has a severity rating of critical (9 out of 10).
How can a remote attacker exploit CVE-2020-26217?
A remote attacker can exploit CVE-2020-26217 by manipulating the processed input stream to run arbitrary shell commands.
Which systems are affected by CVE-2020-26217?
Systems using XStream before version 1.4.14 and relying on blocklists are affected by CVE-2020-26217.
How can I fix CVE-2020-26217?
To fix CVE-2020-26217, update XStream to version 1.4.14 or apply the appropriate patches provided by the vendor.
- collector/redhat-cve
- agent/type
- agent/weakness
- agent/remedy
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2020-26217
- agent/software-canonical-lookup
- collector/nvd-index
- agent/software-canonical-lookup-request
- collector/ibm-support
- source/IBM
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/title
- agent/severity
- agent/references
- agent/first-publish-date
- agent/description
- agent/author
- collector/nvd-cve
- source/NVD
- collector/launchpad-cve
- source/Launchpad
- collector/security-tracker-debian
- source/Debian
- agent/tags
- agent/event
- agent/softwarecombine
- collector/usn-cve
- source/Ubuntu
- package-manager/redhat
- vendor/xstream project
- canonical/xstream project xstream
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/9.0
- version/debian debian linux/10.0
- vendor/netapp
- canonical/netapp snapmanager sap
- canonical/netapp snapmanager oracle
- vendor/apache
- canonical/apache activemq
- version/apache activemq/5.15.4
- vendor/oracle
- canonical/oracle banking cash management
- version/oracle banking cash management/14.2
- version/oracle banking cash management/14.3
- version/oracle banking cash management/14.5
- canonical/oracle banking corporate lending process management
- version/oracle banking corporate lending process management/14.2
- version/oracle banking corporate lending process management/14.3
- version/oracle banking corporate lending process management/14.5
- canonical/oracle banking credit facilities process management
- version/oracle banking credit facilities process management/14.2
- version/oracle banking credit facilities process management/14.3
- version/oracle banking credit facilities process management/14.5
- canonical/oracle banking platform
- version/oracle banking platform/2.4.0
- version/oracle banking platform/2.7.1
- version/oracle banking platform/2.9.0
- canonical/oracle banking supply chain finance
- version/oracle banking supply chain finance/14.2
- version/oracle banking supply chain finance/14.3
- version/oracle banking supply chain finance/14.5
- canonical/oracle banking trade finance process management
- version/oracle banking trade finance process management/14.2
- version/oracle banking trade finance process management/14.3
- version/oracle banking trade finance process management/14.5
- canonical/oracle banking virtual account management
- version/oracle banking virtual account management/14.2.0
- version/oracle banking virtual account management/14.3.0
- version/oracle banking virtual account management/14.5.0
- canonical/oracle business activity monitoring
- version/oracle business activity monitoring/11.1.1.9.0
- version/oracle business activity monitoring/12.2.1.3.0
- version/oracle business activity monitoring/12.2.1.4.0
- canonical/oracle communications policy management
- version/oracle communications policy management/12.5.0
- canonical/oracle endeca information discovery studio
- version/oracle endeca information discovery studio/3.2.0.0
- canonical/oracle retail xstore point of service
- version/oracle retail xstore point of service/16.0.6
- version/oracle retail xstore point of service/17.0.4
- version/oracle retail xstore point of service/18.0.3
- version/oracle retail xstore point of service/19.0.2
- vendor/ibm
- canonical/ibm rdng
- version/ibm rdng/6.0.2
- canonical/ibm doors next
- version/ibm doors next/7.0
- version/ibm doors next/7.0.1
- version/ibm doors next/7.0.2
- version/ibm rdng/6.0.6.1
- version/ibm rdng/6.0.6
- canonical/ibm pub
- version/ibm pub/7.0.1
- version/ibm pub/7.0.2
- version/ibm pub/7.0
- canonical/ibm ewm
- version/ibm ewm/7.0.2
- version/ibm ewm/7.0.1
- canonical/ibm rtc
- version/ibm rtc/6.0.2
- version/ibm rtc/6.0.6.1
- version/ibm ewm/7.0
- version/ibm rtc/6.0.6
- canonical/ibm global configuration management
- version/ibm global configuration management/all
- canonical/ibm etm
- version/ibm etm/7.0.2
- canonical/ibm rqm
- version/ibm rqm/6.0.6.1
- version/ibm etm/7.0.1
- version/ibm rqm/6.0.6
- version/ibm etm/7.0.0
- version/ibm rqm/6.0.2
- canonical/ibm engineering requirements quality assistant on-premises
- version/ibm engineering requirements quality assistant on-premises/all
- package-manager/debian