Vulnerability Name:

CVE-2020-26217 (CCN-192210)

Assigned:2020-09-23
Published:2020-09-23
Updated:2022-10-28
Summary:XStream before version 1.4.14 is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker to run arbitrary shell commands only by manipulating the processed input stream. Only users who rely on blocklists are affected. Anyone using XStream's Security Framework allowlist is not affected. The linked advisory provides code workarounds for users who cannot upgrade. The issue is fixed in version 1.4.14.
CVSS v3 Severity:8.8 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
7.9 High (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): High
7.3 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
6.6 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): Low
Availibility (A): Low
9.0 Critical (REDHAT CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)
8.1 High (REDHAT Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Changed
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): High
CVSS v2 Severity:9.3 High (CVSS v2 Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): Complete
7.5 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
Vulnerability Type:CWE-78
CWE-502
Vulnerability Consequences:Gain Access
References:Source: MITRE
Type: CNA
CVE-2020-26217

Source: CCN
Type: XStream Web site
XStream

Source: XF
Type: UNKNOWN
xstream-cve202026217-code-exec(192210)

Source: CCN
Type: XStream GIT Repository
Fix for CVE-2017-9805

Source: CONFIRM
Type: Patch, Third Party Advisory
https://github.com/x-stream/xstream/commit/0fec095d534126931c99fd38e9c6d41f5c685c1a

Source: CONFIRM
Type: Mitigation, Third Party Advisory
https://github.com/x-stream/xstream/security/advisories/GHSA-mw36-7c6c-q4q2

Source: MLIST
Type: Mailing List, Third Party Advisory
[activemq-issues] 20210104 [jira] [Resolved] (AMQ-8107) Does ActiveMQ use the affected functionality within Xstream libraries for CVE-2020-26217

Source: MLIST
Type: Mailing List, Patch, Third Party Advisory
[camel-commits] 20211006 [camel] branch main updated: Camel-XStream: Added a test about CVE-2020-26217

Source: MLIST
Type: Mailing List, Third Party Advisory
[activemq-issues] 20201230 [jira] [Updated] (AMQ-8107) Does ActiveMQ use the affected functionality within Xstream libraries for CVE-2020-26217

Source: MLIST
Type: Mailing List, Third Party Advisory
[activemq-issues] 20201230 [jira] [Created] (AMQ-8107) Does ActiveMQ use the affected functionality within Xstream libraries for CVE-2020-26217

Source: MLIST
Type: Mailing List, Third Party Advisory
[debian-lts-announce] 20201201 [SECURITY] [DLA 2471-1] libxstream-java security update

Source: CONFIRM
Type: Third Party Advisory
https://security.netapp.com/advisory/ntap-20210409-0004/

Source: DEBIAN
Type: Third Party Advisory
DSA-4811

Source: CCN
Type: IBM Security Bulletin 6374126 (UrbanCode Deploy)
CVE-2020-26217 XStream before version 1.4.14 is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker to run arbitrary shell commands only by manipulating the processed input stream.

Source: CCN
Type: IBM Security Bulletin 6415993 (Spectrum Control)
Vulnerabilities in XStream, Apache HTTP, Jackson Databind, OpenSSL, and Node.js affect IBM Spectrum Control

Source: CCN
Type: IBM Security Bulletin 6416143 (Watson Discovery)
IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in XStream

Source: CCN
Type: IBM Security Bulletin 6417585 (Rational Team Concert)
Multiple vulnerabilites affect IBM Engineering products.

Source: CCN
Type: IBM Security Bulletin 6435553 (Tivoli Netcool Configuration Manager)
A security vulnerability has been identified in Xstream, which is a required product for IBM Tivoli Network Configuration Manager (CVE-2020-26217)

Source: CCN
Type: IBM Security Bulletin 6451063 (InfoSphere Information Server)
IBM InfoSphere Information Server is affected by multiple vulnerabilities in XStream

Source: CCN
Type: IBM Security Bulletin 6454179 (Sterling B2B Integrator)
Security Vulnerability in Xstream Affects IBM Sterling B2B Integrator (CVE-2020-26217)

Source: CCN
Type: IBM Security Bulletin 6466599 (Spectrum Protect Plus)
Vulnerabilities in MongoDB, Node.js, Docker, and XStream affect IBM Spectrum Protect Plus

Source: CCN
Type: IBM Security Bulletin 6525260 (Spectrum Copy Data Management)
Vulnerabilities in XStream affect IBM Spectrum Copy Data Management

Source: CCN
Type: IBM Security Bulletin 6570915 (Data Risk Manager)
IBM Data Risk Manager is affected by multiple vulnerabilities including a remote code execution in Spring Framework (CVE-2022-22965)

Source: CCN
Type: IBM Security Bulletin 6841035 (Security Verify Governance)
IBM Security Verify Governance is vulnerable to multiple security threats due to use of XStream

Source: N/A
Type: Patch, Third Party Advisory
N/A

Source: CCN
Type: Oracle Critical Patch Update Advisory - April 2021
Oracle Critical Patch Update Advisory - April 2021

Source: MISC
Type: Patch, Third Party Advisory
https://www.oracle.com/security-alerts/cpuApr2021.html

Source: MISC
Type: Not Applicable, Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html

Source: MISC
Type: Not Applicable, Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.html

Source: MISC
Type: Patch, Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.html

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2020-26217

Source: CONFIRM
Type: Exploit, Mitigation, Vendor Advisory
https://x-stream.github.io/CVE-2020-26217.html

Vulnerable Configuration:Configuration 1:
  • cpe:/a:xstream_project:xstream:*:*:*:*:*:*:*:* (Version < 1.4.14)

    • Configuration 2:
  • cpe:/o:debian:debian_linux:9.0:*:*:*:*:*:*:*
  • OR cpe:/o:debian:debian_linux:10.0:*:*:*:*:*:*:*

    • Configuration 3:
  • cpe:/a:netapp:snapmanager:*:*:*:*:*:sap:*:*
  • OR cpe:/a:netapp:snapmanager:-:-:*:*:*:oracle:*:*

    • Configuration 4:
  • cpe:/a:apache:activemq:5.15.4:*:*:*:*:*:*:*

    • Configuration 5:
  • cpe:/a:oracle:banking_platform:2.4.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:communications_policy_management:12.5.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:banking_platform:2.7.1:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:banking_platform:2.9.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:banking_virtual_account_management:14.3.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:business_activity_monitoring:12.2.1.3.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:business_activity_monitoring:11.1.1.9.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:business_activity_monitoring:12.2.1.4.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_xstore_point_of_service:16.0.6:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_xstore_point_of_service:17.0.4:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_xstore_point_of_service:18.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_xstore_point_of_service:19.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:banking_cash_management:14.2:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:banking_cash_management:14.3:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:banking_cash_management:14.5:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:endeca_information_discovery_studio:3.2.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:banking_trade_finance_process_management:14.2:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:banking_trade_finance_process_management:14.3:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:banking_trade_finance_process_management:14.5:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:banking_credit_facilities_process_management:14.2:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:banking_credit_facilities_process_management:14.3:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:banking_credit_facilities_process_management:14.5:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:banking_corporate_lending_process_management:14.2:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:banking_corporate_lending_process_management:14.3:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:banking_corporate_lending_process_management:14.5:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:banking_virtual_account_management:14.2.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:banking_virtual_account_management:14.5.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:banking_supply_chain_finance:14.2:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:banking_supply_chain_finance:14.3:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:banking_supply_chain_finance:14.5:*:*:*:*:*:*:*

    • Configuration RedHat 1:
  • cpe:/o:redhat:enterprise_linux:7:*:*:*:*:*:*:*

    • Configuration RedHat 2:
  • cpe:/o:redhat:enterprise_linux:7::client:*:*:*:*:*

    • Configuration RedHat 3:
  • cpe:/o:redhat:enterprise_linux:7::computenode:*:*:*:*:*

    • Configuration RedHat 4:
  • cpe:/o:redhat:enterprise_linux:7::server:*:*:*:*:*

    • Configuration RedHat 5:
  • cpe:/o:redhat:enterprise_linux:7::workstation:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:xstream_project:xstream:1.4.9:*:*:*:*:*:*:*
  • OR cpe:/a:xstream_project:xstream:1.4.10:*:*:*:*:*:*:*
  • AND
  • cpe:/a:ibm:rational_team_concert:6.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:tivoli_netcool_configuration_manager:6.4.2:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:banking_platform:2.4:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:infosphere_information_server:11.7:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:spectrum_protect_plus:10.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:sterling_b2b_integrator:6.0.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:sterling_b2b_integrator:5.2.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:spectrum_control:5.3.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:spectrum_control:5.3.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:spectrum_control:5.3.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:spectrum_control:5.3.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:watson_discovery:2.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_team_concert:7.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:spectrum_control:5.3.4:*:standard:*:*:*:*:*
  • OR cpe:/a:ibm:spectrum_control:5.3.5:*:standard:*:*:*:*:*
  • OR cpe:/a:ibm:spectrum_control:5.3.6:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:spectrum_control:5.3.7:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:urbancode_deploy:6.2.7.8:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:urbancode_deploy:7.0.5.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:urbancode_deploy:7.1.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:sterling_b2b_integrator:6.1.0.0:*:*:*:standard:*:*:*
  • OR cpe:/a:ibm:spectrum_control:5.4.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:watson_discovery:2.2.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:spectrum_protect_plus:10.1.8:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:spectrum_copy_data_management:2.2.13:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_verify_governance:10.0:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:8073
    P
    		xstream-1.4.20-150200.3.25.1 on GA media (Moderate)
    2023-06-20
    oval:org.opensuse.security:def:95248
    P
    		Security update for qemu (Important)
    2022-07-04
    oval:org.opensuse.security:def:3432
    P
    		apache2-mod_jk-1.2.40-7.3.1 on GA media (Moderate)
    2022-06-28
    oval:org.opensuse.security:def:94888
    P
    		bluez-devel-5.62-150400.2.5 on GA media (Moderate)
    2022-06-22
    oval:org.opensuse.security:def:95062
    P
    		xstream-1.4.19-3.18.2 on GA media (Moderate)
    2022-06-22
    oval:org.opensuse.security:def:101601
    P
    		Security update for glib2 (Low)
    2022-04-28
    oval:org.opensuse.security:def:101961
    P
    		Security update for the Linux Kernel (Live Patch 7 for SLE 15 SP3) (Important)
    2022-04-14
    oval:org.opensuse.security:def:113607
    P
    		xstream-1.4.18-1.1 on GA media (Moderate)
    2022-01-17
    oval:org.opensuse.security:def:106990
    P
    		xstream-1.4.18-1.1 on GA media (Moderate)
    2021-10-01
    oval:org.opensuse.security:def:96997
    P
    		apache2-mod_wsgi-python3-4.5.18-2.27 on GA media (Moderate)
    2021-09-21
    oval:org.opensuse.security:def:4479
    P
    		Security update for the Linux Kernel (Live Patch 9 for SLE 12 SP5) (Important)
    2021-09-16
    oval:org.opensuse.security:def:1958
    P
    		xstream-1.4.15-3.5.2 on GA media (Moderate)
    2021-08-09
    oval:org.opensuse.security:def:63047
    P
    		xstream-1.4.15-3.5.2 on GA media (Moderate)
    2021-08-09
    oval:org.opensuse.security:def:72766
    P
    		xstream-1.4.15-3.5.2 on GA media (Moderate)
    2021-08-09
    oval:org.opensuse.security:def:95988
    P
    		Security update for SUSE Manager Server 4.1 (Moderate)
    2021-03-19
    oval:org.opensuse.security:def:111099
    P
    		Security update for xstream (Important)
    2021-01-22
    oval:org.opensuse.security:def:100280
    P
    		 (Important)
    2021-01-20
    oval:org.opensuse.security:def:65568
    P
    		Security update for xstream (Important)
    2021-01-20
    oval:org.opensuse.security:def:93952
    P
    		 (Important)
    2021-01-20
    oval:org.opensuse.security:def:74636
    P
    		Security update for xstream (Important)
    2021-01-20
    oval:org.opensuse.security:def:117781
    P
    		Security update for xstream (Important)
    2021-01-20
    oval:org.opensuse.security:def:100609
    P
    		 (Important)
    2021-01-20
    oval:org.opensuse.security:def:66789
    P
    		Security update for xstream (Important)
    2021-01-20
    oval:org.opensuse.security:def:94163
    P
    		 (Important)
    2021-01-20
    oval:org.opensuse.security:def:75857
    P
    		Security update for xstream (Important)
    2021-01-20
    oval:org.opensuse.security:def:108267
    P
    		Security update for xstream (Important)
    2021-01-20
    oval:org.opensuse.security:def:5700
    P
    		Security update for xstream (Important)
    2021-01-20
    oval:org.opensuse.security:def:94375
    P
    		 (Important)
    2021-01-20
    oval:org.opensuse.security:def:108627
    P
    		Security update for xstream (Important)
    2021-01-20
    oval:org.opensuse.security:def:93737
    P
    		 (Important)
    2021-01-20
    oval:com.redhat.rhsa:def:20210162
    P
    		RHSA-2021:0162: xstream security update (Important)
    2021-01-18
    BACK
    xstream_project xstream *
    debian debian linux 9.0
    debian debian linux 10.0
    netapp snapmanager *
    netapp snapmanager - -
    apache activemq 5.15.4
    oracle banking platform 2.4.0
    oracle communications policy management 12.5.0
    oracle banking platform 2.7.1
    oracle banking platform 2.9.0
    oracle banking virtual account management 14.3.0
    oracle business activity monitoring 12.2.1.3.0
    oracle business activity monitoring 11.1.1.9.0
    oracle business activity monitoring 12.2.1.4.0
    oracle retail xstore point of service 16.0.6
    oracle retail xstore point of service 17.0.4
    oracle retail xstore point of service 18.0.3
    oracle retail xstore point of service 19.0.2
    oracle banking cash management 14.2
    oracle banking cash management 14.3
    oracle banking cash management 14.5
    oracle endeca information discovery studio 3.2.0.0
    oracle banking trade finance process management 14.2
    oracle banking trade finance process management 14.3
    oracle banking trade finance process management 14.5
    oracle banking credit facilities process management 14.2
    oracle banking credit facilities process management 14.3
    oracle banking credit facilities process management 14.5
    oracle banking corporate lending process management 14.2
    oracle banking corporate lending process management 14.3
    oracle banking corporate lending process management 14.5
    oracle banking virtual account management 14.2.0
    oracle banking virtual account management 14.5.0
    oracle banking supply chain finance 14.2
    oracle banking supply chain finance 14.3
    oracle banking supply chain finance 14.5
    xstream_project xstream 1.4.9
    xstream_project xstream 1.4.10
    ibm rational team concert 6.0.2
    ibm tivoli netcool configuration manager 6.4.2
    oracle banking platform 2.4
    ibm infosphere information server 11.7
    ibm spectrum protect plus 10.1.0
    ibm sterling b2b integrator 6.0.0.0
    ibm sterling b2b integrator 5.2.0.0
    ibm spectrum control 5.3.1
    ibm spectrum control 5.3.2
    ibm spectrum control 5.3.3
    ibm spectrum control 5.3.0.1
    ibm watson discovery 2.0.0
    ibm rational team concert 7.0
    ibm spectrum control 5.3.4
    ibm spectrum control 5.3.5
    ibm spectrum control 5.3.6
    ibm spectrum control 5.3.7
    ibm urbancode deploy 6.2.7.8
    ibm urbancode deploy 7.0.5.3
    ibm urbancode deploy 7.1.1.0
    ibm sterling b2b integrator 6.1.0.0
    ibm spectrum control 5.4.1
    ibm watson discovery 2.2.0
    ibm spectrum protect plus 10.1.8
    ibm spectrum copy data management 2.2.13
    ibm security verify governance 10.0