https://github.com/x-stream/xstream/commit/0fec095d534126931c99fd38e9c6d41f5c685c1a

https://github.com/x-stream/xstream/security/advisories/GHSA-mw36-7c6c-q4q2

[activemq-issues] 20210104 [jira] [Resolved] (AMQ-8107) Does ActiveMQ use the affected functionality within Xstream libraries for CVE-2020-26217

[activemq-issues] 20201230 [jira] [Updated] (AMQ-8107) Does ActiveMQ use the affected functionality within Xstream libraries for CVE-2020-26217

[activemq-issues] 20201230 [jira] [Created] (AMQ-8107) Does ActiveMQ use the affected functionality within Xstream libraries for CVE-2020-26217

[debian-lts-announce] 20201201 [SECURITY] [DLA 2471-1] libxstream-java security update

https://security.netapp.com/advisory/ntap-20210409-0004/

DSA-4811

https://x-stream.github.io/CVE-2020-26217.html

The remote Ubuntu 18.04 LTS / 20.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-4714-1 advisory.

  - XStream before version 1.4.14 is vulnerable to Remote Code Execution.The vulnerability may allow a remote     attacker to run arbitrary shell commands only by manipulating the processed input stream. Only users who     rely on blocklists are affected. Anyone using XStream's Security Framework allowlist is not affected. The     linked advisory provides code workarounds for users who cannot upgrade. The issue is fixed in version     1.4.14. (CVE-2020-26217)

  - XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.15, a     Server-Side Forgery Request vulnerability can be activated when unmarshalling. The vulnerability may allow     a remote attacker to request data from internal resources that are not publicly available only by     manipulating the processed input stream. If you rely on XStream's default blacklist of the Security     Framework, you will have to use at least version 1.4.15. The reported vulnerability does not exist if     running Java 15 or higher. No user is affected who followed the recommendation to setup XStream's Security     Framework with a whitelist! Anyone relying on XStream's default blacklist can immediately switch to a     whilelist for the allowed types to avoid the vulnerability. Users of XStream 1.4.14 or below who still     want to use XStream default blacklist can use a workaround described in more detailed in the referenced     advisories. (CVE-2020-26258)

  - XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.15, is     vulnerable to an Arbitrary File Deletion on the local host when unmarshalling. The vulnerability may allow     a remote attacker to delete arbitrary know files on the host as log as the executing process has     sufficient rights only by manipulating the processed input stream. If you rely on XStream's default     blacklist of the Security Framework, you will have to use at least version 1.4.15. The reported     vulnerability does not exist running Java 15 or higher. No user is affected, who followed the     recommendation to setup XStream's Security Framework with a whitelist! Anyone relying on XStream's default     blacklist can immediately switch to a whilelist for the allowed types to avoid the vulnerability. Users of     XStream 1.4.14 or below who still want to use XStream default blacklist can use a workaround described in     more detailed in the referenced advisories. (CVE-2020-26259)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of xstream installed on the remote host is prior to 1.3.1-12. It is, therefore, affected by a vulnerability as referenced in the ALAS2-2021-1593 advisory.

  - XStream before version 1.4.14 is vulnerable to Remote Code Execution.The vulnerability may allow a remote     attacker to run arbitrary shell commands only by manipulating the processed input stream. Only users who     rely on blocklists are affected. Anyone using XStream's Security Framework allowlist is not affected. The     linked advisory provides code workarounds for users who cannot upgrade. The issue is fixed in version     1.4.14. (CVE-2020-26217)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Scientific Linux 7 host has packages installed that are affected by a vulnerability as referenced in the SLSA-2021:0162-1 advisory.

  - XStream: remote code execution due to insecure XML deserialization when relying on blocklists     (CVE-2020-26217)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote CentOS Linux 7 host has packages installed that are affected by a vulnerability as referenced in the CESA-2021:0162 advisory.

  - XStream: remote code execution due to insecure XML deserialization when relying on blocklists     (CVE-2020-26217)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

This update for xstream fixes the following issues :

xstream was updated to version 1.4.15.

  - CVE-2020-26217: Fixed a remote code execution due to     insecure XML deserialization when relying on blocklists     (bsc#1180994).

  - CVE-2020-26258: Fixed a server-side request forgery     vulnerability (bsc#1180146).

  - CVE-2020-26259: Fixed an arbitrary file deletion     vulnerability (bsc#1180145).

This update was imported from the SUSE:SLE-15-SP2:Update update project.

The remote Oracle Linux 7 host has packages installed that are affected by a vulnerability as referenced in the ELSA-2021-0162 advisory.

  - XStream before version 1.4.14 is vulnerable to Remote Code Execution.The vulnerability may allow a remote     attacker to run arbitrary shell commands only by manipulating the processed input stream. Only users who     rely on blocklists are affected. Anyone using XStream's Security Framework allowlist is not affected. The     linked advisory provides code workarounds for users who cannot upgrade. The issue is fixed in version     1.4.14. (CVE-2020-26217)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 7 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2021:0162 advisory.

  - XStream: remote code execution due to insecure XML deserialization when relying on blocklists     (CVE-2020-26217)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

It was discovered that the default blacklist of XStream, a Java library to serialise objects to XML and back again, was vulnerable to the execution of arbitrary shell commands by manipulating the processed input stream.

For additional defense-in-depth it is recommended to switch to the whitelist approach of XStream's security framework. For additional information please refer to https://github.com/x-stream/xstream/security/advisories/GHSA-mw36-7c6c
-q4q2

It was found that XStream is vulnerable to Remote Code Execution. The vulnerability may allow a remote attacker to run arbitrary shell commands only by manipulating the processed input stream. Users who rely on blocklists are affected (the default in Debian). We strongly recommend to use the whitelist approach of XStream's Security Framework because there are likely more class combinations the blacklist approach may not address.

For Debian 9 stretch, this problem has been fixed in version 1.4.9-2+deb9u1.

We recommend that you upgrade your libxstream-java packages.

For the detailed security status of libxstream-java please refer to its security tracker page at:
https://security-tracker.debian.org/tracker/libxstream-java

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
145542	Ubuntu 18.04 LTS / 20.04 LTS : XStream vulnerabilities (USN-4714-1)	Nessus	Ubuntu Local Security Checks	high
145450	Amazon Linux 2 : xstream (ALAS-2021-1593)	Nessus	Amazon Linux Local Security Checks	high
145442	Scientific Linux Security Update : xstream on SL7.x (noarch) (2021:0162)	Nessus	Scientific Linux Local Security Checks	high
145441	CentOS 7 : xstream (CESA-2021:0162)	Nessus	CentOS Local Security Checks	high
145314	openSUSE Security Update : xstream (openSUSE-2021-140)	Nessus	SuSE Local Security Checks	high
145080	Oracle Linux 7 : xstream (ELSA-2021-0162)	Nessus	Oracle Linux Local Security Checks	high
145067	RHEL 7 : xstream (RHSA-2021:0162)	Nessus	Red Hat Local Security Checks	high
144311	Debian DSA-4811-1 : libxstream-java - security update	Nessus	Debian Local Security Checks	high
143386	Debian DLA-2471-1 : libxstream-java security update	Nessus	Debian Local Security Checks	high

CVE-2020-26217

HIGH

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Configuration 2

Configuration 3

Configuration 4

Tenable Plugins

high

high

high

high

high

high

high

high

high