Bug 1898907 (CVE-2020-26217)

Summary: CVE-2020-26217 XStream: remote code execution due to insecure XML deserialization when relying on blocklists
Product: [Other] Security Response Reporter: Jonathan Christison <jochrist>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: abenaiss, adam.kaplan, aileenc, akoufoud, alazarot, almorale, anstephe, aos-bugs, ataylor, bibryam, bmontgom, chazlett, dchen, drieden, eparis, etirelli, ganandan, ggaughan, gmalinko, gvarsami, hbraun, ibek, janstey, java-maint, java-sig-commits, jburrell, jcoleman, jnethert, jochrist, jokerman, jstastny, jwon, kconner, krathod, kverlaen, ldimaggi, lkundrak, mizdebsk, mnovotny, nstielau, nwallace, osoukup, pantinor, pbhattac, pjindal, rrajasek, rsynek, rwagner, sdaley, sponnaga, tcunning, tkirby, vbobade, yozone
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: xstream-1.4.14 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in xstream. An unsafe deserialization of user-supplied XML, in conjunction with relying on the default deny list, allows a remote attacker to perform a variety of attacks including a remote code execution of arbitrary code in the context of the JVM running the XStream application. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-01-13 18:27:42 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1898944, 1899093, 1899094, 1899095, 1899096, 1899097, 1899356    
Bug Blocks: 1898908    

Description Jonathan Christison 2020-11-18 10:05:51 UTC 
It was found that Remote code execution (RCE) is possible in XStream prior to 1.4.14 via unsafe deserialization of user supplied XML in conjunction with relying on the default XStream deny list, a remote attacker could use this flaw to perform a variety of attacks but principally this is arbitrary code execution in the context of the JVM running the XStream application.

Upstream Advisory: 
https://github.com/x-stream/xstream/security/advisories/GHSA-mw36-7c6c-q4q2

Upstream Fix: 
https://github.com/x-stream/xstream/commit/0fec095d534126931c99fd38e9c6d41f5c685c1a

Upstream explanation and PoC:
https://x-stream.github.io/CVE-2020-26217.html
Comment 2 Michael Kaplan 2020-11-18 11:12:00 UTC 
Created xstream tracking bugs for this issue:

Affects: fedora-all [bug 1898944]
Comment 11 Jonathan Christison 2020-11-18 15:57:37 UTC 
This vulnerability is out of security support scope for the following products:

 * Red Hat JBoss Fuse Service Works 6

Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
Comment 16 Jonathan Christison 2020-11-19 18:49:27 UTC 
Mitigation:

Depending on the version of XStream used there are various usage patterns that mitigate this flaw, though we would strongly recommend using the allow list approach if at all possible as there are likely more class combinations the deny list approach may not address.

Allow list approach
```java
XStream xstream = new XStream();
XStream.setupDefaultSecurity(xstream);
xstream.allowTypesByWildcard(new String[] {"com.misc.classname"})
```

Deny list for XStream 1.4.13
```java
xstream.denyTypes(new String[]{ "javax.imageio.ImageIO$ContainsFilter" });
xstream.denyTypes(new Class[]{ java.lang.ProcessBuilder.class });
```

Deny list for XStream 1.4.7 -> 1.4.12
```java
xstream.denyTypes(new String[]{ "javax.imageio.ImageIO$ContainsFilter" });
xstream.denyTypes(new Class[]{ java.lang.ProcessBuilder.class, java.beans.EventHandler.class, java.lang.ProcessBuilder.class, java.lang.Void.class, void.class });
```

Deny list for versions prior to XStream 1.4.7
```java
xstream.registerConverter(new Converter() {
  public boolean canConvert(Class type) {
    return type != null && (type == java.beans.EventHandler.class || type == java.lang.ProcessBuilder.class || type == java.lang.Void.class || void.class || type.getName().equals("javax.imageio.ImageIO$ContainsFilter") || Proxy.isProxy(type));
  }

  public Object unmarshal(HierarchicalStreamReader reader, UnmarshallingContext context) {
    throw new ConversionException("Unsupported type due to security reasons.");
  }

  public void marshal(Object source, HierarchicalStreamWriter writer, MarshallingContext context) {
    throw new ConversionException("Unsupported type due to security reasons.");
  }
}, XStream.PRIORITY_LOW);
```
Comment 18 Jonathan Christison 2020-11-25 12:54:36 UTC 
Marking Red Hat JBoss Fuse 6, Red Hat Fuse 7, Red Hat Intergration Camel K as Moderate, although these products use vulnerable versions of XStream through the camel-xstream component https://access.redhat.com/documentation/en-us/red_hat_jboss_fuse/6.3/html/apache_camel_component_reference/idu-xstream Camel provides an extended default deny list with `org.apache.camel.xstream.permissions`, the default being `-,java.lang.,java.util.`, for this reason the attack complexity is significantly increased as this deny list is out of the attackers control.

Users overriding the org.apache.camel.xstream.permissions for unmarshalling of XML should ensure either both `-javax.imageio.ImageIO.` and `-java.lang.ProcessBuilder.` are explicitly present or all classes are denied by default eg. `-*,com.misc.mypacakge.myclass`.
Comment 19 Przemyslaw Roguski 2020-11-26 10:44:54 UTC 
Statement:

OpenShift Container Platform (OCP) delivers jenkins package with bundled XStream library. Due to JEP-200 Jenkins project [1] and advisory SECURITY-383 [2], OCP jenkins package is not affected by this flaw.

[1] https://github.com/jenkinsci/jep/blob/master/jep/200/README.adoc
[2] https://www.jenkins.io/security/advisory/2017-02-01/  (see SECURITY-383 / CVE-2017-2608)
Comment 20 errata-xmlrpc 2021-01-13 16:55:49 UTC 
This issue has been addressed in the following products:

  RHDM 7.9.1

Via RHSA-2021:0106 https://access.redhat.com/errata/RHSA-2021:0106
Comment 21 errata-xmlrpc 2021-01-13 16:56:04 UTC 
This issue has been addressed in the following products:

  RHPAM 7.9.1

Via RHSA-2021:0105 https://access.redhat.com/errata/RHSA-2021:0105
Comment 22 Product Security DevOps Team 2021-01-13 18:27:42 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-26217
Comment 23 errata-xmlrpc 2021-01-18 14:31:56 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2021:0162 https://access.redhat.com/errata/RHSA-2021:0162
Comment 24 errata-xmlrpc 2021-02-02 14:23:33 UTC 
This issue has been addressed in the following products:

  Red Hat Fuse/AMQ 6.3.18

Via RHSA-2021:0384 https://access.redhat.com/errata/RHSA-2021:0384
Comment 25 errata-xmlrpc 2021-02-08 12:55:02 UTC 
This issue has been addressed in the following products:

  Red Hat Data Grid 8.1.1

Via RHSA-2021:0433 https://access.redhat.com/errata/RHSA-2021:0433
Comment 27 errata-xmlrpc 2021-11-23 10:34:31 UTC 
This issue has been addressed in the following products:

  Red Hat Integration

Via RHSA-2021:4767 https://access.redhat.com/errata/RHSA-2021:4767
Comment 28 errata-xmlrpc 2021-12-14 21:33:01 UTC 
This issue has been addressed in the following products:

  Red Hat Fuse 7.10

Via RHSA-2021:5134 https://access.redhat.com/errata/RHSA-2021:5134