CVE-2020-26217: Remote Code Execution in XStream
First published: Mon Nov 16 2020(Updated: )
A flaw was found in xstream. An unsafe deserialization of user-supplied XML, in conjunction with relying on the default deny list, allows a remote attacker to perform a variety of attacks including a remote code execution of arbitrary code in the context of the JVM running the XStream application. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Credit: security-advisories@github.com security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/xstream | <0:1.3.1-12.el7_9 | 0:1.3.1-12.el7_9 |
| redhat/xstream | <1.4.14 | 1.4.14 |
| debian/libxstream-java | 1.4.15-3+deb11u2 1.4.15-3+deb11u3 1.4.20-1+deb12u1 1.4.21-1 | |
| IBM Rational DOORS Next Generation | <=6.0.2 | |
| IBM Rational DOORS Next Generation | <=7.0 | |
| IBM Rational DOORS Next Generation | <=7.0.1 | |
| IBM Rational DOORS Next Generation | <=7.0.2 | |
| IBM Rational DOORS Next Generation | <=6.0.6.1 | |
| IBM Rational DOORS Next Generation | <=6.0.6 | |
| IBM Pub | <=7.0.1 | |
| IBM Pub | <=7.0.2 | |
| IBM Pub | <=7.0 | |
| IBM Engineering Workflow Management (EWM) | <=7.0.2 | |
| IBM Engineering Workflow Management (EWM) | <=7.0.1 | |
| IBM Rational Team Concert | <=6.0.2 | |
| IBM Rational Team Concert | <=6.0.6.1 | |
| IBM Engineering Workflow Management (EWM) | <=7.0 | |
| IBM Rational Team Concert | <=6.0.6 | |
| IBM Global Configuration Management | <=All | |
| IBM Engineering Test Management (ETM) | <=7.0.2 | |
| IBM Rational Quality Manager (RQM) | <=6.0.6.1 | |
| IBM Engineering Test Management (ETM) | <=7.0.1 | |
| IBM Rational Quality Manager (RQM) | <=6.0.6 | |
| IBM Engineering Test Management (ETM) | <=7.0.0 | |
| IBM Rational Quality Manager (RQM) | <=6.0.2 | |
| IBM Engineering Requirements Quality Assistant | <=All | |
| XStream | <1.4.14 | |
| Debian Linux | =9.0 | |
| Debian Linux | =10.0 | |
| NetApp SnapManager for SAP | ||
| NetApp SnapManager for Oracle | ||
| Apache ActiveMQ | =5.15.4 | |
| Oracle Cash Management | =14.2 | |
| Oracle Cash Management | =14.3 | |
| Oracle Cash Management | =14.5 | |
| Oracle Banking Corporate Lending | =14.2 | |
| Oracle Banking Corporate Lending | =14.3 | |
| Oracle Banking Corporate Lending | =14.5 | |
| Oracle Banking Credit Facilities Process Management | =14.2 | |
| Oracle Banking Credit Facilities Process Management | =14.3 | |
| Oracle Banking Credit Facilities Process Management | =14.5 | |
| Oracle Banking Platform | =2.4.0 | |
| Oracle Banking Platform | =2.7.1 | |
| Oracle Banking Platform | =2.9.0 | |
| Oracle Banking Supply Chain Finance | =14.2 | |
| Oracle Banking Supply Chain Finance | =14.3 | |
| Oracle Banking Supply Chain Finance | =14.5 | |
| Oracle Banking Trade Finance Process Management | =14.2 | |
| Oracle Banking Trade Finance Process Management | =14.3 | |
| Oracle Banking Trade Finance Process Management | =14.5 | |
| Oracle Banking Virtual Account Management | =14.2.0 | |
| Oracle Banking Virtual Account Management | =14.3.0 | |
| Oracle Banking Virtual Account Management | =14.5.0 | |
| Oracle Business Activity Monitoring | =11.1.1.9.0 | |
| Oracle Business Activity Monitoring | =12.2.1.3.0 | |
| Oracle Business Activity Monitoring | =12.2.1.4.0 | |
| Oracle Communications Policy Management | =12.5.0 | |
| Oracle Endeca Information Discovery Studio | =3.2.0.0 | |
| Oracle Retail Xstore Office Cloud Service | =16.0.6 | |
| Oracle Retail Xstore Office Cloud Service | =17.0.4 | |
| Oracle Retail Xstore Office Cloud Service | =18.0.3 | |
| Oracle Retail Xstore Office Cloud Service | =19.0.2 |
Remedy
Depending on the version of XStream used there are various usage patterns that mitigate this flaw, though we would strongly recommend using the allow list approach if at all possible as there are likely more class combinations the deny list approach may not address. Allow list approach ```java XStream xstream = new XStream(); XStream.setupDefaultSecurity(xstream); xstream.allowTypesByWildcard(new String[] {"com.misc.classname"}) ``` Deny list for XStream 1.4.13 ```java xstream.denyTypes(new String[]{ "javax.imageio.ImageIO$ContainsFilter" }); xstream.denyTypes(new Class[]{ java.lang.ProcessBuilder.class }); ``` Deny list for XStream 1.4.7 -> 1.4.12 ```java xstream.denyTypes(new String[]{ "javax.imageio.ImageIO$ContainsFilter" }); xstream.denyTypes(new Class[]{ java.lang.ProcessBuilder.class, java.beans.EventHandler.class, java.lang.ProcessBuilder.class, java.lang.Void.class, void.class }); ``` Deny list for versions prior to XStream 1.4.7 ```java xstream.registerConverter(new Converter() { public boolean canConvert(Class type) { return type != null && (type == java.beans.EventHandler.class || type == java.lang.ProcessBuilder.class || type == java.lang.Void.class || void.class || type.getName().equals("javax.imageio.ImageIO$ContainsFilter") || Proxy.isProxy(type)); } public Object unmarshal(HierarchicalStreamReader reader, UnmarshallingContext context) { throw new ConversionException("Unsupported type due to security reasons."); } public void marshal(Object source, HierarchicalStreamWriter writer, MarshallingContext context) { throw new ConversionException("Unsupported type due to security reasons."); } }, XStream.PRIORITY_LOW); ```
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2020-26217 https://nvd.nist.gov/vuln/detail/CVE-2020-26217
- https://bugzilla.redhat.com/show_bug.cgi?id=1898907
- https://access.redhat.com/errata/RHSA-2021:0433
- https://access.redhat.com/errata/RHSA-2021:0106
- https://access.redhat.com/errata/RHSA-2021:0162
- https://access.redhat.com/errata/RHSA-2021:3205
- https://access.redhat.com/errata/RHSA-2021:4767
- https://access.redhat.com/errata/RHSA-2021:0384
- https://access.redhat.com/errata/RHSA-2021:5134
- https://access.redhat.com/errata/RHSA-2021:0105
- https://access.redhat.com/security/cve/cve-2020-26217
- https://github.com/x-stream/xstream/security/advisories/GHSA-mw36-7c6c-q4q2
- https://github.com/x-stream/xstream/commit/0fec095d534126931c99fd38e9c6d41f5c685c1a
- https://x-stream.github.io/CVE-2020-26217.html
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1898944
- https://access.redhat.com/support/policy/updates/jboss_notes
- https://access.redhat.com/documentation/en-us/red_hat_jboss_fuse/6.3/html/apache_camel_component_reference/idu-xstream
- https://github.com/jenkinsci/jep/blob/master/jep/200/README.adoc
- https://www.jenkins.io/security/advisory/2017-02-01/
- https://access.redhat.com/security/cve/CVE-2017-2608
- https://lists.apache.org/thread.html/r2de526726e7f4db4a7cb91b7355070779f51a84fd985c6529c2f4e9e@%3Cissues.activemq.apache.org%3E
- https://lists.apache.org/thread.html/r7c9fc255edc0b9cd9567093d131f6d33fde4c662aaf912460ef630e9@%3Ccommits.camel.apache.org%3E
- https://lists.apache.org/thread.html/r826a006fda71cc96fc87b6eca4b5d195f19a292ad36cea501682c38c@%3Cissues.activemq.apache.org%3E
- https://lists.apache.org/thread.html/redde3609b89b2a4ff18b536a06ef9a77deb93d47fda8ed28086fa8c3@%3Cissues.activemq.apache.org%3E
- https://lists.debian.org/debian-lts-announce/2020/12/msg00001.html
- https://security.netapp.com/advisory/ntap-20210409-0004/
- https://www.debian.org/security/2020/dsa-4811
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://exchange.xforce.ibmcloud.com/vulnerabilities/192210
- https://www.ibm.com/support/pages/node/6417585 (Advisory)
- https://lists.apache.org/thread.html/redde3609b89b2a4ff18b536a06ef9a77deb93d47fda8ed28086fa8c3%40%3Cissues.activemq.apache.org%3E
- https://lists.apache.org/thread.html/r826a006fda71cc96fc87b6eca4b5d195f19a292ad36cea501682c38c%40%3Cissues.activemq.apache.org%3E
- https://lists.apache.org/thread.html/r2de526726e7f4db4a7cb91b7355070779f51a84fd985c6529c2f4e9e%40%3Cissues.activemq.apache.org%3E
- https://lists.apache.org/thread.html/r7c9fc255edc0b9cd9567093d131f6d33fde4c662aaf912460ef630e9%40%3Ccommits.camel.apache.org%3E
- https://launchpad.net/bugs/cve/CVE-2020-26217
- https://security-tracker.debian.org/tracker/CVE-2020-26217
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26217
- https://nvd.nist.gov/vuln/detail/CVE-2020-26217
- https://ubuntu.com/security/CVE-2020-26217
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is CVE-2020-26217?
CVE-2020-26217 is a vulnerability in XStream before version 1.4.14 that allows remote code execution.
How severe is CVE-2020-26217?
CVE-2020-26217 has a severity rating of critical (9 out of 10).
How can a remote attacker exploit CVE-2020-26217?
A remote attacker can exploit CVE-2020-26217 by manipulating the processed input stream to run arbitrary shell commands.
Which systems are affected by CVE-2020-26217?
Systems using XStream before version 1.4.14 and relying on blocklists are affected by CVE-2020-26217.
How can I fix CVE-2020-26217?
To fix CVE-2020-26217, update XStream to version 1.4.14 or apply the appropriate patches provided by the vendor.
- collector/redhat-cve
- agent/type
- agent/weakness
- agent/remedy
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2020-26217
- agent/software-canonical-lookup
- collector/mitre-cve
- source/MITRE
- agent/title
- agent/severity
- agent/first-publish-date
- agent/author
- collector/launchpad-cve
- source/Launchpad
- collector/usn-cve
- source/Ubuntu
- agent/references
- agent/description
- agent/event
- agent/last-modified-date
- agent/trending
- collector/security-tracker-debian
- source/Debian
- agent/source
- collector/ibm-support
- source/IBM
- agent/software-canonical-lookup-request
- collector/nvd-cve
- source/NVD
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- package-manager/redhat
- package-manager/debian
- vendor/ibm
- canonical/ibm rational doors next generation
- version/ibm rational doors next generation/6.0.2
- version/ibm rational doors next generation/7.0
- version/ibm rational doors next generation/7.0.1
- version/ibm rational doors next generation/7.0.2
- version/ibm rational doors next generation/6.0.6.1
- version/ibm rational doors next generation/6.0.6
- canonical/ibm pub
- version/ibm pub/7.0.1
- version/ibm pub/7.0.2
- version/ibm pub/7.0
- canonical/ibm engineering workflow management (ewm)
- version/ibm engineering workflow management (ewm)/7.0.2
- version/ibm engineering workflow management (ewm)/7.0.1
- canonical/ibm rational team concert
- version/ibm rational team concert/6.0.2
- version/ibm rational team concert/6.0.6.1
- version/ibm engineering workflow management (ewm)/7.0
- version/ibm rational team concert/6.0.6
- canonical/ibm global configuration management
- version/ibm global configuration management/all
- canonical/ibm engineering test management (etm)
- version/ibm engineering test management (etm)/7.0.2
- canonical/ibm rational quality manager (rqm)
- version/ibm rational quality manager (rqm)/6.0.6.1
- version/ibm engineering test management (etm)/7.0.1
- version/ibm rational quality manager (rqm)/6.0.6
- version/ibm engineering test management (etm)/7.0.0
- version/ibm rational quality manager (rqm)/6.0.2
- canonical/ibm engineering requirements quality assistant
- version/ibm engineering requirements quality assistant/all
- vendor/xstream project
- canonical/xstream
- vendor/debian
- canonical/debian linux
- version/debian linux/9.0
- version/debian linux/10.0
- vendor/netapp
- canonical/netapp snapmanager for sap
- canonical/netapp snapmanager for oracle
- vendor/apache
- canonical/apache activemq
- version/apache activemq/5.15.4
- vendor/oracle
- canonical/oracle cash management
- version/oracle cash management/14.2
- version/oracle cash management/14.3
- version/oracle cash management/14.5
- canonical/oracle banking corporate lending
- version/oracle banking corporate lending/14.2
- version/oracle banking corporate lending/14.3
- version/oracle banking corporate lending/14.5
- canonical/oracle banking credit facilities process management
- version/oracle banking credit facilities process management/14.2
- version/oracle banking credit facilities process management/14.3
- version/oracle banking credit facilities process management/14.5
- canonical/oracle banking platform
- version/oracle banking platform/2.4.0
- version/oracle banking platform/2.7.1
- version/oracle banking platform/2.9.0
- canonical/oracle banking supply chain finance
- version/oracle banking supply chain finance/14.2
- version/oracle banking supply chain finance/14.3
- version/oracle banking supply chain finance/14.5
- canonical/oracle banking trade finance process management
- version/oracle banking trade finance process management/14.2
- version/oracle banking trade finance process management/14.3
- version/oracle banking trade finance process management/14.5
- canonical/oracle banking virtual account management
- version/oracle banking virtual account management/14.2.0
- version/oracle banking virtual account management/14.3.0
- version/oracle banking virtual account management/14.5.0
- canonical/oracle business activity monitoring
- version/oracle business activity monitoring/11.1.1.9.0
- version/oracle business activity monitoring/12.2.1.3.0
- version/oracle business activity monitoring/12.2.1.4.0
- canonical/oracle communications policy management
- version/oracle communications policy management/12.5.0
- canonical/oracle endeca information discovery studio
- version/oracle endeca information discovery studio/3.2.0.0
- canonical/oracle retail xstore office cloud service
- version/oracle retail xstore office cloud service/16.0.6
- version/oracle retail xstore office cloud service/17.0.4
- version/oracle retail xstore office cloud service/18.0.3
- version/oracle retail xstore office cloud service/19.0.2