First published: Mon Nov 16 2020(Updated: )
A flaw was found in xstream. An unsafe deserialization of user-supplied XML, in conjunction with relying on the default deny list, allows a remote attacker to perform a variety of attacks including a remote code execution of arbitrary code in the context of the JVM running the XStream application. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Credit: security-advisories@github.com security-advisories@github.com
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/xstream | <0:1.3.1-12.el7_9 | 0:1.3.1-12.el7_9 |
redhat/xstream | <1.4.14 | 1.4.14 |
Xstream Project Xstream | <1.4.14 | |
Debian Debian Linux | =9.0 | |
Debian Debian Linux | =10.0 | |
Netapp Snapmanager Sap | ||
Netapp Snapmanager Oracle | ||
Apache ActiveMQ | =5.15.4 | |
Oracle Banking Cash Management | =14.2 | |
Oracle Banking Cash Management | =14.3 | |
Oracle Banking Cash Management | =14.5 | |
Oracle Banking Corporate Lending Process Management | =14.2 | |
Oracle Banking Corporate Lending Process Management | =14.3 | |
Oracle Banking Corporate Lending Process Management | =14.5 | |
Oracle Banking Credit Facilities Process Management | =14.2 | |
Oracle Banking Credit Facilities Process Management | =14.3 | |
Oracle Banking Credit Facilities Process Management | =14.5 | |
Oracle Banking Platform | =2.4.0 | |
Oracle Banking Platform | =2.7.1 | |
Oracle Banking Platform | =2.9.0 | |
Oracle Banking Supply Chain Finance | =14.2 | |
Oracle Banking Supply Chain Finance | =14.3 | |
Oracle Banking Supply Chain Finance | =14.5 | |
Oracle Banking Trade Finance Process Management | =14.2 | |
Oracle Banking Trade Finance Process Management | =14.3 | |
Oracle Banking Trade Finance Process Management | =14.5 | |
Oracle Banking Virtual Account Management | =14.2.0 | |
Oracle Banking Virtual Account Management | =14.3.0 | |
Oracle Banking Virtual Account Management | =14.5.0 | |
Oracle Business Activity Monitoring | =11.1.1.9.0 | |
Oracle Business Activity Monitoring | =12.2.1.3.0 | |
Oracle Business Activity Monitoring | =12.2.1.4.0 | |
Oracle Communications Policy Management | =12.5.0 | |
Oracle Endeca Information Discovery Studio | =3.2.0.0 | |
Oracle Retail Xstore Point of Service | =16.0.6 | |
Oracle Retail Xstore Point of Service | =17.0.4 | |
Oracle Retail Xstore Point of Service | =18.0.3 | |
Oracle Retail Xstore Point of Service | =19.0.2 | |
IBM RDNG | <=6.0.2 | |
IBM DOORS Next | <=7.0 | |
IBM DOORS Next | <=7.0.1 | |
IBM DOORS Next | <=7.0.2 | |
IBM RDNG | <=6.0.6.1 | |
IBM RDNG | <=6.0.6 | |
IBM Pub | <=7.0.1 | |
IBM Pub | <=7.0.2 | |
IBM Pub | <=7.0 | |
IBM EWM | <=7.0.2 | |
IBM EWM | <=7.0.1 | |
IBM RTC | <=6.0.2 | |
IBM RTC | <=6.0.6.1 | |
IBM EWM | <=7.0 | |
IBM RTC | <=6.0.6 | |
IBM Global Configuration Management | <=All | |
IBM ETM | <=7.0.2 | |
IBM RQM | <=6.0.6.1 | |
IBM ETM | <=7.0.1 | |
IBM RQM | <=6.0.6 | |
IBM ETM | <=7.0.0 | |
IBM RQM | <=6.0.2 | |
IBM Engineering Requirements Quality Assistant On-Premises | <=All | |
debian/libxstream-java | 1.4.15-3+deb11u2 1.4.20-1 1.4.21-1 |
Depending on the version of XStream used there are various usage patterns that mitigate this flaw, though we would strongly recommend using the allow list approach if at all possible as there are likely more class combinations the deny list approach may not address. Allow list approach ```java XStream xstream = new XStream(); XStream.setupDefaultSecurity(xstream); xstream.allowTypesByWildcard(new String[] {"com.misc.classname"}) ``` Deny list for XStream 1.4.13 ```java xstream.denyTypes(new String[]{ "javax.imageio.ImageIO$ContainsFilter" }); xstream.denyTypes(new Class[]{ java.lang.ProcessBuilder.class }); ``` Deny list for XStream 1.4.7 -> 1.4.12 ```java xstream.denyTypes(new String[]{ "javax.imageio.ImageIO$ContainsFilter" }); xstream.denyTypes(new Class[]{ java.lang.ProcessBuilder.class, java.beans.EventHandler.class, java.lang.ProcessBuilder.class, java.lang.Void.class, void.class }); ``` Deny list for versions prior to XStream 1.4.7 ```java xstream.registerConverter(new Converter() { public boolean canConvert(Class type) { return type != null && (type == java.beans.EventHandler.class || type == java.lang.ProcessBuilder.class || type == java.lang.Void.class || void.class || type.getName().equals("javax.imageio.ImageIO$ContainsFilter") || Proxy.isProxy(type)); } public Object unmarshal(HierarchicalStreamReader reader, UnmarshallingContext context) { throw new ConversionException("Unsupported type due to security reasons."); } public void marshal(Object source, HierarchicalStreamWriter writer, MarshallingContext context) { throw new ConversionException("Unsupported type due to security reasons."); } }, XStream.PRIORITY_LOW); ```
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
(Appears in the following advisories)
CVE-2020-26217 is a vulnerability in XStream before version 1.4.14 that allows remote code execution.
CVE-2020-26217 has a severity rating of critical (9 out of 10).
A remote attacker can exploit CVE-2020-26217 by manipulating the processed input stream to run arbitrary shell commands.
Systems using XStream before version 1.4.14 and relying on blocklists are affected by CVE-2020-26217.
To fix CVE-2020-26217, update XStream to version 1.4.14 or apply the appropriate patches provided by the vendor.