Bug 1898907 (CVE-2020-26217) - CVE-2020-26217 XStream: remote code execution due to insecure XML deserialization when relying on blocklists
Summary: CVE-2020-26217 XStream: remote code execution due to insecure XML deserializa...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-26217
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1898944 1899093 1899094 1899095 1899096 1899097 1899356
Blocks: 1898908
TreeView+ depends on / blocked
 
Reported: 2020-11-18 10:05 UTC by Jonathan Christison
Modified: 2023-09-20 14:28 UTC (History)
54 users (show)

Fixed In Version: xstream-1.4.14
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in xstream. An unsafe deserialization of user-supplied XML, in conjunction with relying on the default deny list, allows a remote attacker to perform a variety of attacks including a remote code execution of arbitrary code in the context of the JVM running the XStream application. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Clone Of:
Environment:
Last Closed: 2021-01-13 18:27:42 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:0105 0 None None None 2021-01-13 16:56:06 UTC
Red Hat Product Errata RHSA-2021:0106 0 None None None 2021-01-13 16:55:51 UTC
Red Hat Product Errata RHSA-2021:0162 0 None None None 2021-01-18 14:32:00 UTC
Red Hat Product Errata RHSA-2021:0384 0 None None None 2021-02-02 14:23:38 UTC
Red Hat Product Errata RHSA-2021:0433 0 None None None 2021-02-08 12:55:05 UTC
Red Hat Product Errata RHSA-2021:4767 0 None None None 2021-11-23 10:34:34 UTC
Red Hat Product Errata RHSA-2021:5134 0 None None None 2021-12-14 21:33:04 UTC

Description Jonathan Christison 2020-11-18 10:05:51 UTC 
It was found that Remote code execution (RCE) is possible in XStream prior to 1.4.14 via unsafe deserialization of user supplied XML in conjunction with relying on the default XStream deny list, a remote attacker could use this flaw to perform a variety of attacks but principally this is arbitrary code execution in the context of the JVM running the XStream application.

Upstream Advisory: 
https://github.com/x-stream/xstream/security/advisories/GHSA-mw36-7c6c-q4q2

Upstream Fix: 
https://github.com/x-stream/xstream/commit/0fec095d534126931c99fd38e9c6d41f5c685c1a

Upstream explanation and PoC:
https://x-stream.github.io/CVE-2020-26217.html
Comment 2 Michael Kaplan 2020-11-18 11:12:00 UTC 
Created xstream tracking bugs for this issue:

Affects: fedora-all [bug 1898944]
Comment 11 Jonathan Christison 2020-11-18 15:57:37 UTC 
This vulnerability is out of security support scope for the following products:

 * Red Hat JBoss Fuse Service Works 6

Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
Comment 16 Jonathan Christison 2020-11-19 18:49:27 UTC 
Mitigation:

Depending on the version of XStream used there are various usage patterns that mitigate this flaw, though we would strongly recommend using the allow list approach if at all possible as there are likely more class combinations the deny list approach may not address.

Allow list approach
```java
XStream xstream = new XStream();
XStream.setupDefaultSecurity(xstream);
xstream.allowTypesByWildcard(new String[] {"com.misc.classname"})
```

Deny list for XStream 1.4.13
```java
xstream.denyTypes(new String[]{ "javax.imageio.ImageIO$ContainsFilter" });
xstream.denyTypes(new Class[]{ java.lang.ProcessBuilder.class });
```

Deny list for XStream 1.4.7 -> 1.4.12
```java
xstream.denyTypes(new String[]{ "javax.imageio.ImageIO$ContainsFilter" });
xstream.denyTypes(new Class[]{ java.lang.ProcessBuilder.class, java.beans.EventHandler.class, java.lang.ProcessBuilder.class, java.lang.Void.class, void.class });
```

Deny list for versions prior to XStream 1.4.7
```java
xstream.registerConverter(new Converter() {
  public boolean canConvert(Class type) {
    return type != null && (type == java.beans.EventHandler.class || type == java.lang.ProcessBuilder.class || type == java.lang.Void.class || void.class || type.getName().equals("javax.imageio.ImageIO$ContainsFilter") || Proxy.isProxy(type));
  }

  public Object unmarshal(HierarchicalStreamReader reader, UnmarshallingContext context) {
    throw new ConversionException("Unsupported type due to security reasons.");
  }

  public void marshal(Object source, HierarchicalStreamWriter writer, MarshallingContext context) {
    throw new ConversionException("Unsupported type due to security reasons.");
  }
}, XStream.PRIORITY_LOW);
```
Comment 18 Jonathan Christison 2020-11-25 12:54:36 UTC 
Marking Red Hat JBoss Fuse 6, Red Hat Fuse 7, Red Hat Intergration Camel K as Moderate, although these products use vulnerable versions of XStream through the camel-xstream component https://access.redhat.com/documentation/en-us/red_hat_jboss_fuse/6.3/html/apache_camel_component_reference/idu-xstream Camel provides an extended default deny list with `org.apache.camel.xstream.permissions`, the default being `-,java.lang.,java.util.`, for this reason the attack complexity is significantly increased as this deny list is out of the attackers control.

Users overriding the org.apache.camel.xstream.permissions for unmarshalling of XML should ensure either both `-javax.imageio.ImageIO.` and `-java.lang.ProcessBuilder.` are explicitly present or all classes are denied by default eg. `-*,com.misc.mypacakge.myclass`.
Comment 19 Przemyslaw Roguski 2020-11-26 10:44:54 UTC 
Statement:

OpenShift Container Platform (OCP) delivers jenkins package with bundled XStream library. Due to JEP-200 Jenkins project [1] and advisory SECURITY-383 [2], OCP jenkins package is not affected by this flaw.

[1] https://github.com/jenkinsci/jep/blob/master/jep/200/README.adoc
[2] https://www.jenkins.io/security/advisory/2017-02-01/  (see SECURITY-383 / CVE-2017-2608)
Comment 20 errata-xmlrpc 2021-01-13 16:55:49 UTC 
This issue has been addressed in the following products:

  RHDM 7.9.1

Via RHSA-2021:0106 https://access.redhat.com/errata/RHSA-2021:0106
Comment 21 errata-xmlrpc 2021-01-13 16:56:04 UTC 
This issue has been addressed in the following products:

  RHPAM 7.9.1

Via RHSA-2021:0105 https://access.redhat.com/errata/RHSA-2021:0105
Comment 22 Product Security DevOps Team 2021-01-13 18:27:42 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-26217
Comment 23 errata-xmlrpc 2021-01-18 14:31:56 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2021:0162 https://access.redhat.com/errata/RHSA-2021:0162
Comment 24 errata-xmlrpc 2021-02-02 14:23:33 UTC 
This issue has been addressed in the following products:

  Red Hat Fuse/AMQ 6.3.18

Via RHSA-2021:0384 https://access.redhat.com/errata/RHSA-2021:0384
Comment 25 errata-xmlrpc 2021-02-08 12:55:02 UTC 
This issue has been addressed in the following products:

  Red Hat Data Grid 8.1.1

Via RHSA-2021:0433 https://access.redhat.com/errata/RHSA-2021:0433
Comment 27 errata-xmlrpc 2021-11-23 10:34:31 UTC 
This issue has been addressed in the following products:

  Red Hat Integration

Via RHSA-2021:4767 https://access.redhat.com/errata/RHSA-2021:4767
Comment 28 errata-xmlrpc 2021-12-14 21:33:01 UTC 
This issue has been addressed in the following products:

  Red Hat Fuse 7.10

Via RHSA-2021:5134 https://access.redhat.com/errata/RHSA-2021:5134
Note You need to log in before you can comment on or make changes to this bug.