Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2020-26217

Опубликовано: 16 нояб. 2020
Источник: redhat
CVSS3: 9
EPSS Критический

Описание

XStream before version 1.4.14 is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker to run arbitrary shell commands only by manipulating the processed input stream. Only users who rely on blocklists are affected. Anyone using XStream's Security Framework allowlist is not affected. The linked advisory provides code workarounds for users who cannot upgrade. The issue is fixed in version 1.4.14.

A flaw was found in xstream. An unsafe deserialization of user-supplied XML, in conjunction with relying on the default deny list, allows a remote attacker to perform a variety of attacks including a remote code execution of arbitrary code in the context of the JVM running the XStream application. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

Отчет

OpenShift Container Platform (OCP) delivers jenkins package with bundled XStream library. Due to JEP-200 Jenkins project [1] and advisory SECURITY-383 [2], OCP jenkins package is not affected by this flaw. [1] https://github.com/jenkinsci/jep/blob/master/jep/200/README.adoc [2] https://www.jenkins.io/security/advisory/2017-02-01/ (see SECURITY-383 / CVE-2017-2608)

Меры по смягчению последствий

Depending on the version of XStream used there are various usage patterns that mitigate this flaw, though we would strongly recommend using the allow list approach if at all possible as there are likely more class combinations the deny list approach may not address. Allow list approach

XStream xstream = new XStream(); XStream.setupDefaultSecurity(xstream); xstream.allowTypesByWildcard(new String[] {"com.misc.classname"})

Deny list for XStream 1.4.13

xstream.denyTypes(new String[]{ "javax.imageio.ImageIO$ContainsFilter" }); xstream.denyTypes(new Class[]{ java.lang.ProcessBuilder.class });

Deny list for XStream 1.4.7 -> 1.4.12

xstream.denyTypes(new String[]{ "javax.imageio.ImageIO$ContainsFilter" }); xstream.denyTypes(new Class[]{ java.lang.ProcessBuilder.class, java.beans.EventHandler.class, java.lang.ProcessBuilder.class, java.lang.Void.class, void.class });

Deny list for versions prior to XStream 1.4.7

xstream.registerConverter(new Converter() { public boolean canConvert(Class type) { return type != null && (type == java.beans.EventHandler.class || type == java.lang.ProcessBuilder.class || type == java.lang.Void.class || void.class || type.getName().equals("javax.imageio.ImageIO$ContainsFilter") || Proxy.isProxy(type)); } public Object unmarshal(HierarchicalStreamReader reader, UnmarshallingContext context) { throw new ConversionException("Unsupported type due to security reasons."); } public void marshal(Object source, HierarchicalStreamWriter writer, MarshallingContext context) { throw new ConversionException("Unsupported type due to security reasons."); } }, XStream.PRIORITY_LOW);

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat BPM Suite 6xstreamOut of support scope
Red Hat CodeReady Studio 12xstreamAffected
Red Hat Integration Camel K 1xstreamAffected
Red Hat JBoss BRMS 6xstreamOut of support scope
Red Hat JBoss Data Grid 7xstreamOut of support scope
Red Hat JBoss Fuse Service Works 6xstreamOut of support scope
Red Hat OpenShift Container Platform 3.11jenkinsNot affected
Red Hat OpenShift Container Platform 4jenkinsNot affected
Red Hat Data Grid 8.1.1xstreamFixedRHSA-2021:043308.02.2021
Red Hat Enterprise Linux 7xstreamFixedRHSA-2021:016218.01.2021

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Important
Дефект:
CWE-502
https://bugzilla.redhat.com/show_bug.cgi?id=1898907XStream: remote code execution due to insecure XML deserialization when relying on blocklists

EPSS

Процентиль: 100%
0.93566
Критический

9 Critical

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2020-26217

CVSS3: 8
ubuntu
около 5 лет назад

XStream before version 1.4.14 is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker to run arbitrary shell commands only by manipulating the processed input stream. Only users who rely on blocklists are affected. Anyone using XStream's Security Framework allowlist is not affected. The linked advisory provides code workarounds for users who cannot upgrade. The issue is fixed in version 1.4.14.

nvd логотип

CVE-2020-26217

CVSS3: 8
nvd
около 5 лет назад

XStream before version 1.4.14 is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker to run arbitrary shell commands only by manipulating the processed input stream. Only users who rely on blocklists are affected. Anyone using XStream's Security Framework allowlist is not affected. The linked advisory provides code workarounds for users who cannot upgrade. The issue is fixed in version 1.4.14.

debian логотип

CVE-2020-26217

CVSS3: 8
debian
около 5 лет назад

XStream before version 1.4.14 is vulnerable to Remote Code Execution.T ...

github логотип

GHSA-mw36-7c6c-q4q2

CVSS3: 8
github
около 5 лет назад

XStream can be used for Remote Code Execution

oracle-oval логотип

ELSA-2021-0162

oracle-oval
около 5 лет назад

ELSA-2021-0162: xstream security update (IMPORTANT)

EPSS

Процентиль: 100%
0.93566
Критический

9 Critical

CVSS3