https://x-stream.github.io/CVE-2020-26217.html

https://github.com/x-stream/xstream/commit/0fec095d534126931c99fd38e9c6d41f5c685c1a

https://github.com/x-stream/xstream/security/advisories/GHSA-mw36-7c6c-q4q2

[debian-lts-announce] 20201201 [SECURITY] [DLA 2471-1] libxstream-java security update

DSA-4811

[activemq-issues] 20201230 [jira] [Created] (AMQ-8107) Does ActiveMQ use the affected functionality within Xstream libraries for CVE-2020-26217

[activemq-issues] 20201230 [jira] [Updated] (AMQ-8107) Does ActiveMQ use the affected functionality within Xstream libraries for CVE-2020-26217

[activemq-issues] 20210104 [jira] [Resolved] (AMQ-8107) Does ActiveMQ use the affected functionality within Xstream libraries for CVE-2020-26217

https://security.netapp.com/advisory/ntap-20210409-0004/

https://www.oracle.com/security-alerts/cpuApr2021.html

[camel-commits] 20211006 [camel] branch main updated: Camel-XStream: Added a test about CVE-2020-26217

https://www.oracle.com/security-alerts/cpuoct2021.html

The remote Ubuntu 18.04 LTS / 20.04 LTS / 20.10 / 21.04 host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-4943-1 advisory.

  - XStream before version 1.4.14 is vulnerable to Remote Code Execution.The vulnerability may allow a remote     attacker to run arbitrary shell commands only by manipulating the processed input stream. Only users who     rely on blocklists are affected. Anyone using XStream's Security Framework allowlist is not affected. The     linked advisory provides code workarounds for users who cannot upgrade. The issue is fixed in version     1.4.14. (CVE-2020-26217)

  - XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.15, a     Server-Side Forgery Request vulnerability can be activated when unmarshalling. The vulnerability may allow     a remote attacker to request data from internal resources that are not publicly available only by     manipulating the processed input stream. If you rely on XStream's default blacklist of the Security     Framework, you will have to use at least version 1.4.15. The reported vulnerability does not exist if     running Java 15 or higher. No user is affected who followed the recommendation to setup XStream's Security     Framework with a whitelist! Anyone relying on XStream's default blacklist can immediately switch to a     whilelist for the allowed types to avoid the vulnerability. Users of XStream 1.4.14 or below who still     want to use XStream default blacklist can use a workaround described in more detailed in the referenced     advisories. (CVE-2020-26258)

  - XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.15, is     vulnerable to an Arbitrary File Deletion on the local host when unmarshalling. The vulnerability may allow     a remote attacker to delete arbitrary know files on the host as log as the executing process has     sufficient rights only by manipulating the processed input stream. If you rely on XStream's default     blacklist of the Security Framework, you will have to use at least version 1.4.15. The reported     vulnerability does not exist running Java 15 or higher. No user is affected, who followed the     recommendation to setup XStream's Security Framework with a whitelist! Anyone relying on XStream's default     blacklist can immediately switch to a whilelist for the allowed types to avoid the vulnerability. Users of     XStream 1.4.14 or below who still want to use XStream default blacklist can use a workaround described in     more detailed in the referenced advisories. (CVE-2020-26259)

  - XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16,     there is vulnerability which may allow a remote attacker to allocate 100% CPU time on the target system     depending on CPU type or parallel execution of such a payload resulting in a denial of service only by     manipulating the processed input stream. No user is affected who followed the recommendation to setup     XStream's security framework with a whitelist limited to the minimal required types. If you rely on     XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.
    (CVE-2021-21341)

  - XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16,     there is a vulnerability where the processed stream at unmarshalling time contains type information to     recreate the formerly written objects. XStream creates therefore new instances based on these type     information. An attacker can manipulate the processed input stream and replace or inject objects, that     result in a server-side forgery request. No user is affected, who followed the recommendation to setup     XStream's security framework with a whitelist limited to the minimal required types. If you rely on     XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.
    (CVE-2021-21342)

  - XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16,     there is a vulnerability where the processed stream at unmarshalling time contains type information to     recreate the formerly written objects. XStream creates therefore new instances based on these type     information. An attacker can manipulate the processed input stream and replace or inject objects, that     result in the deletion of a file on the local host. No user is affected, who followed the recommendation     to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely     on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.
    (CVE-2021-21343)

  - XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16,     there is a vulnerability which may allow a remote attacker to load and execute arbitrary code from a     remote host only by manipulating the processed input stream. No user is affected, who followed the     recommendation to setup XStream's security framework with a whitelist limited to the minimal required     types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least     version 1.4.16. (CVE-2021-21344, CVE-2021-21346, CVE-2021-21347)

  - XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16,     there is a vulnerability which may allow a remote attacker who has sufficient rights to execute commands     of the host only by manipulating the processed input stream. No user is affected, who followed the     recommendation to setup XStream's security framework with a whitelist limited to the minimal required     types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least     version 1.4.16. (CVE-2021-21345)

  - XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16,     there is a vulnerability which may allow a remote attacker to occupy a thread that consumes maximum CPU     time and will never return. No user is affected, who followed the recommendation to setup XStream's     security framework with a whitelist limited to the minimal required types. If you rely on XStream's     default blacklist of the Security Framework, you will have to use at least version 1.4.16.
    (CVE-2021-21348)

  - XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16,     there is a vulnerability which may allow a remote attacker to request data from internal resources that     are not publicly available only by manipulating the processed input stream. No user is affected, who     followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal     required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use     at least version 1.4.16. (CVE-2021-21349)

  - XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16,     there is a vulnerability which may allow a remote attacker to execute arbitrary code only by manipulating     the processed input stream. No user is affected, who followed the recommendation to setup XStream's     security framework with a whitelist limited to the minimal required types. If you rely on XStream's     default blacklist of the Security Framework, you will have to use at least version 1.4.16.
    (CVE-2021-21350)

  - XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16,     there is a vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host     only by manipulating the processed input stream. No user is affected, who followed the recommendation to     setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on     XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.
    (CVE-2021-21351)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Ubuntu 18.04 LTS / 20.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-4714-1 advisory.

  - XStream before version 1.4.14 is vulnerable to Remote Code Execution.The vulnerability may allow a remote     attacker to run arbitrary shell commands only by manipulating the processed input stream. Only users who     rely on blocklists are affected. Anyone using XStream's Security Framework allowlist is not affected. The     linked advisory provides code workarounds for users who cannot upgrade. The issue is fixed in version     1.4.14. (CVE-2020-26217)

  - XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.15, a     Server-Side Forgery Request vulnerability can be activated when unmarshalling. The vulnerability may allow     a remote attacker to request data from internal resources that are not publicly available only by     manipulating the processed input stream. If you rely on XStream's default blacklist of the Security     Framework, you will have to use at least version 1.4.15. The reported vulnerability does not exist if     running Java 15 or higher. No user is affected who followed the recommendation to setup XStream's Security     Framework with a whitelist! Anyone relying on XStream's default blacklist can immediately switch to a     whilelist for the allowed types to avoid the vulnerability. Users of XStream 1.4.14 or below who still     want to use XStream default blacklist can use a workaround described in more detailed in the referenced     advisories. (CVE-2020-26258)

  - XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.15, is     vulnerable to an Arbitrary File Deletion on the local host when unmarshalling. The vulnerability may allow     a remote attacker to delete arbitrary know files on the host as log as the executing process has     sufficient rights only by manipulating the processed input stream. If you rely on XStream's default     blacklist of the Security Framework, you will have to use at least version 1.4.15. The reported     vulnerability does not exist running Java 15 or higher. No user is affected, who followed the     recommendation to setup XStream's Security Framework with a whitelist! Anyone relying on XStream's default     blacklist can immediately switch to a whilelist for the allowed types to avoid the vulnerability. Users of     XStream 1.4.14 or below who still want to use XStream default blacklist can use a workaround described in     more detailed in the referenced advisories. (CVE-2020-26259)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of xstream installed on the remote host is prior to 1.3.1-12. It is, therefore, affected by a vulnerability as referenced in the ALAS2-2021-1593 advisory.

  - XStream before version 1.4.14 is vulnerable to Remote Code Execution.The vulnerability may allow a remote     attacker to run arbitrary shell commands only by manipulating the processed input stream. Only users who     rely on blocklists are affected. Anyone using XStream's Security Framework allowlist is not affected. The     linked advisory provides code workarounds for users who cannot upgrade. The issue is fixed in version     1.4.14. (CVE-2020-26217)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Scientific Linux 7 host has packages installed that are affected by a vulnerability as referenced in the SLSA-2021:0162-1 advisory.

  - XStream: remote code execution due to insecure XML deserialization when relying on blocklists     (CVE-2020-26217)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote CentOS Linux 7 host has packages installed that are affected by a vulnerability as referenced in the CESA-2021:0162 advisory.

  - XStream: remote code execution due to insecure XML deserialization when relying on blocklists     (CVE-2020-26217)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

This update for xstream fixes the following issues :

xstream was updated to version 1.4.15.

  - CVE-2020-26217: Fixed a remote code execution due to     insecure XML deserialization when relying on blocklists     (bsc#1180994).

  - CVE-2020-26258: Fixed a server-side request forgery     vulnerability (bsc#1180146).

  - CVE-2020-26259: Fixed an arbitrary file deletion     vulnerability (bsc#1180145).

This update was imported from the SUSE:SLE-15-SP2:Update update project.

The remote Oracle Linux 7 host has packages installed that are affected by a vulnerability as referenced in the ELSA-2021-0162 advisory.

  - XStream before version 1.4.14 is vulnerable to Remote Code Execution.The vulnerability may allow a remote     attacker to run arbitrary shell commands only by manipulating the processed input stream. Only users who     rely on blocklists are affected. Anyone using XStream's Security Framework allowlist is not affected. The     linked advisory provides code workarounds for users who cannot upgrade. The issue is fixed in version     1.4.14. (CVE-2020-26217)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 7 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2021:0162 advisory.

  - XStream: remote code execution due to insecure XML deserialization when relying on blocklists     (CVE-2020-26217)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

It was discovered that the default blacklist of XStream, a Java library to serialise objects to XML and back again, was vulnerable to the execution of arbitrary shell commands by manipulating the processed input stream.

For additional defense-in-depth it is recommended to switch to the whitelist approach of XStream's security framework. For additional information please refer to https://github.com/x-stream/xstream/security/advisories/GHSA-mw36-7c6c
-q4q2

It was found that XStream is vulnerable to Remote Code Execution. The vulnerability may allow a remote attacker to run arbitrary shell commands only by manipulating the processed input stream. Users who rely on blocklists are affected (the default in Debian). We strongly recommend to use the whitelist approach of XStream's Security Framework because there are likely more class combinations the blacklist approach may not address.

For Debian 9 stretch, this problem has been fixed in version 1.4.9-2+deb9u1.

We recommend that you upgrade your libxstream-java packages.

For the detailed security status of libxstream-java please refer to its security tracker page at:
https://security-tracker.debian.org/tracker/libxstream-java

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
149408	Ubuntu 18.04 LTS / 20.04 LTS / 20.10 / 21.04 : XStream vulnerabilities (USN-4943-1)	Nessus	Ubuntu Local Security Checks	high
145542	Ubuntu 18.04 LTS / 20.04 LTS : XStream vulnerabilities (USN-4714-1)	Nessus	Ubuntu Local Security Checks	high
145450	Amazon Linux 2 : xstream (ALAS-2021-1593)	Nessus	Amazon Linux Local Security Checks	high
145442	Scientific Linux Security Update : xstream on SL7.x (noarch) (2021:0162)	Nessus	Scientific Linux Local Security Checks	high
145441	CentOS 7 : xstream (CESA-2021:0162)	Nessus	CentOS Local Security Checks	high
145314	openSUSE Security Update : xstream (openSUSE-2021-140)	Nessus	SuSE Local Security Checks	high
145080	Oracle Linux 7 : xstream (ELSA-2021-0162)	Nessus	Oracle Linux Local Security Checks	high
145067	RHEL 7 : xstream (RHSA-2021:0162)	Nessus	Red Hat Local Security Checks	high
144311	Debian DSA-4811-1 : libxstream-java - security update	Nessus	Debian Local Security Checks	high
143386	Debian DLA-2471-1 : libxstream-java security update	Nessus	Debian Local Security Checks	high

CVE-2020-26217

high

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

CVSS v3

Vulnerable Software

Configuration 1

Configuration 2

Configuration 3

Configuration 4

Tenable Plugins

high

high

high

high

high

high

high

high

high

high