Lucene search

Redhat.comRH:CVE-2020-26217

HistoryNov 18, 2020 - 10:26 a.m.

CVE-2020-26217

2020-11-1810:26:26

redhat.com

access.redhat.com

xstream

deserialization

remote code execution

xml

mitigation

allow list

deny list

CVSS2

9.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS

0.974

Percentile

99.9%

JSON

A flaw was found in xstream. An unsafe deserialization of user-supplied XML, in conjunction with relying on the default deny list, allows a remote attacker to perform a variety of attacks including a remote code execution of arbitrary code in the context of the JVM running the XStream application. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

Mitigation

Depending on the version of XStream used there are various usage patterns that mitigate this flaw, though we would strongly recommend using the allow list approach if at all possible as there are likely more class combinations the deny list approach may not address.

Allow list approach

java  
XStream xstream = new XStream();  
XStream.setupDefaultSecurity(xstream);  
xstream.allowTypesByWildcard(new String[] {"com.misc.classname"})

Deny list for XStream 1.4.13

java  
xstream.denyTypes(new String[]{ "javax.imageio.ImageIO$ContainsFilter" });  
xstream.denyTypes(new Class[]{ java.lang.ProcessBuilder.class });

Deny list for XStream 1.4.7 -> 1.4.12

java  
xstream.denyTypes(new String[]{ "javax.imageio.ImageIO$ContainsFilter" });  
xstream.denyTypes(new Class[]{ java.lang.ProcessBuilder.class, java.beans.EventHandler.class, java.lang.ProcessBuilder.class, java.lang.Void.class, void.class });

Deny list for versions prior to XStream 1.4.7

java  
xstream.registerConverter(new Converter() {  
  public boolean canConvert(Class type) {  
    return type != null && (type == java.beans.EventHandler.class || type == java.lang.ProcessBuilder.class || type == java.lang.Void.class || void.class || type.getName().equals("javax.imageio.ImageIO$ContainsFilter") || Proxy.isProxy(type));  
  }  
  
  public Object unmarshal(HierarchicalStreamReader reader, UnmarshallingContext context) {  
    throw new ConversionException("Unsupported type due to security reasons.");  
  }  
  
  public void marshal(Object source, HierarchicalStreamWriter writer, MarshallingContext context) {  
    throw new ConversionException("Unsupported type due to security reasons.");  
  }  
}, XStream.PRIORITY_LOW);