Vulnerability CVE-2020-26258

Vulnerability Name:

CVE-2020-26258 (CCN-193525)

Assigned:

2020-12-13

Published:

2020-12-13

Updated:

2021-11-30

Summary:

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.15, a Server-Side Forgery Request vulnerability can be activated when unmarshalling. The vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.15. The reported vulnerability does not exist if running Java 15 or higher. No user is affected who followed the recommendation to setup XStream's Security Framework with a whitelist! Anyone relying on XStream's default blacklist can immediately switch to a whilelist for the allowed types to avoid the vulnerability. Users of XStream 1.4.14 or below who still want to use XStream default blacklist can use a workaround described in more detailed in the referenced advisories.

CVSS v3 Severity:

7.7 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N)
6.7 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): Low User Interaction (UI): None
Scope:	Scope (S): Changed
Impact Metrics:	Confidentiality (C): High Integrity (I): None Availibility (A): None

7.5 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
6.5 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): None Availibility (A): None

CVSS v2 Severity:

5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): None Availibility (A): None

7.8 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:C/I:N/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): Complete Integrity (I): None Availibility (A): None

Vulnerability Type:

CWE-918

Vulnerability Consequences:

Obtain Information

References:

Source: MITRE
Type: CNA
CVE-2020-26258

Source: XF
Type: UNKNOWN
xstream-cve202026258-ssrf(193525)

Source: CCN
Type: XStream GIT Repository
A Server-Side Forgery Request can be activated unmarshalling with XStream

Source: CONFIRM
Type: Mitigation, Third Party Advisory
https://github.com/x-stream/xstream/security/advisories/GHSA-4cch-wxpw-8p28

Source: MLIST
Type: Mailing List, Third Party Advisory
[struts-commits] 20201221 [struts] branch master updated: Upgrades XStream to version 1.4.15 to address CVE-2020-26258, CVE-2020-26259

Source: MLIST
Type: Mailing List, Third Party Advisory
[debian-lts-announce] 20201231 [SECURITY] [DLA 2507-1] libxstream-java security update

Source: FEDORA
Type: Mailing List, Third Party Advisory
FEDORA-2021-fbad11014a

Source: FEDORA
Type: Mailing List, Third Party Advisory
FEDORA-2021-5e376c0ed9

Source: FEDORA
Type: Mailing List, Third Party Advisory
FEDORA-2021-d894ca87dc

Source: CONFIRM
Type: Third Party Advisory
https://security.netapp.com/advisory/ntap-20210409-0005/

Source: DEBIAN
Type: Third Party Advisory
DSA-4828

Source: CCN
Type: IBM Security Bulletin 6415993 (Spectrum Control)
Vulnerabilities in XStream, Apache HTTP, Jackson Databind, OpenSSL, and Node.js affect IBM Spectrum Control

Source: CCN
Type: IBM Security Bulletin 6416143 (Watson Discovery)
IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in XStream

Source: CCN
Type: IBM Security Bulletin 6435555 (Tivoli Netcool Configuration Manager)
A security vulnerability has been identified in Xstream, which is a required product for IBM Tivoli Network Configuration Manager (CVE-2020-26258, CVE-2020-26259)

Source: CCN
Type: IBM Security Bulletin 6451063 (InfoSphere Information Server)
IBM InfoSphere Information Server is affected by multiple vulnerabilities in XStream

Source: CCN
Type: IBM Security Bulletin 6466599 (Spectrum Protect Plus)
Vulnerabilities in MongoDB, Node.js, Docker, and XStream affect IBM Spectrum Protect Plus

Source: CCN
Type: IBM Security Bulletin 6525260 (Spectrum Copy Data Management)
Vulnerabilities in XStream affect IBM Spectrum Copy Data Management

Source: CCN
Type: IBM Security Bulletin 6570915 (Data Risk Manager)
IBM Data Risk Manager is affected by multiple vulnerabilities including a remote code execution in Spring Framework (CVE-2022-22965)

Source: CCN
Type: IBM Security Bulletin 6601097 (Rational Quality Manager)
IBM Engineering Test Management is vulnerable to arbitrary data access due to XStream ( CVE-2020-26258, CVE-2020-26259 )

Source: CCN
Type: IBM Security Bulletin 6841035 (Security Verify Governance)
IBM Security Verify Governance is vulnerable to multiple security threats due to use of XStream

Source: MISC
Type: Exploit, Mitigation, Third Party Advisory
https://x-stream.github.io/CVE-2020-26258.html

Vulnerable Configuration:

Configuration 1:

cpe:/a:xstream_project:xstream:*:*:*:*:*:*:*:* (Version < 1.4.15)

Configuration 2:

cpe:/o:debian:debian_linux:9.0:*:*:*:*:*:*:*

OR cpe:/o:debian:debian_linux:10.0:*:*:*:*:*:*:*

Configuration 3:

cpe:/o:fedoraproject:fedora:33:*:*:*:*:*:*:*

OR cpe:/o:fedoraproject:fedora:34:*:*:*:*:*:*:*

OR cpe:/o:fedoraproject:fedora:35:*:*:*:*:*:*:*

Configuration CCN 1:

cpe:/a:xstream_project:xstream:1.4.14:*:*:*:*:*:*:*

AND

cpe:/a:ibm:tivoli_netcool_configuration_manager:6.4.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:infosphere_information_server:11.7:*:*:*:*:*:*:*

OR cpe:/a:ibm:spectrum_protect_plus:10.1.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_quality_manager:6.0.6:*:*:*:*:*:*:*

OR cpe:/a:ibm:spectrum_control:5.3.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:spectrum_control:5.3.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:spectrum_control:5.3.3:*:*:*:*:*:*:*

OR cpe:/a:ibm:spectrum_control:5.3.0.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:watson_discovery:2.0.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_quality_manager:6.0.6.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:spectrum_control:5.3.4:*:standard:*:*:*:*:*

OR cpe:/a:ibm:spectrum_control:5.3.5:*:standard:*:*:*:*:*

OR cpe:/a:ibm:spectrum_control:5.3.6:*:*:*:*:*:*:*

OR cpe:/a:ibm:spectrum_control:5.3.7:*:*:*:*:*:*:*

OR cpe:/a:ibm:engineering_test_management:7.0.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:spectrum_control:5.4.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:watson_discovery:2.2.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:engineering_test_management:7.0.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:engineering_test_management:7.0.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:spectrum_protect_plus:10.1.8:*:*:*:*:*:*:*

OR cpe:/a:ibm:spectrum_copy_data_management:2.2.13:*:*:*:*:*:*:*

OR cpe:/a:ibm:security_verify_governance:10.0:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:8073	P	xstream-1.4.20-150200.3.25.1 on GA media (Moderate)	2023-06-20
oval:org.opensuse.security:def:95248	P	Security update for qemu (Important)	2022-07-04
oval:org.opensuse.security:def:3432	P	apache2-mod_jk-1.2.40-7.3.1 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:94888	P	bluez-devel-5.62-150400.2.5 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:95062	P	xstream-1.4.19-3.18.2 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:101601	P	Security update for glib2 (Low)	2022-04-28
oval:org.opensuse.security:def:101961	P	Security update for the Linux Kernel (Live Patch 7 for SLE 15 SP3) (Important)	2022-04-14
oval:org.opensuse.security:def:113607	P	xstream-1.4.18-1.1 on GA media (Moderate)	2022-01-17
oval:org.opensuse.security:def:106990	P	xstream-1.4.18-1.1 on GA media (Moderate)	2021-10-01
oval:org.opensuse.security:def:96997	P	apache2-mod_wsgi-python3-4.5.18-2.27 on GA media (Moderate)	2021-09-21
oval:org.opensuse.security:def:4479	P	Security update for the Linux Kernel (Live Patch 9 for SLE 12 SP5) (Important)	2021-09-16
oval:org.opensuse.security:def:63047	P	xstream-1.4.15-3.5.2 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:72766	P	xstream-1.4.15-3.5.2 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:1958	P	xstream-1.4.15-3.5.2 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:95988	P	Security update for SUSE Manager Server 4.1 (Moderate)	2021-03-19
oval:org.opensuse.security:def:111099	P	Security update for xstream (Important)	2021-01-22
oval:org.opensuse.security:def:100609	P	(Important)	2021-01-20
oval:org.opensuse.security:def:66789	P	Security update for xstream (Important)	2021-01-20
oval:org.opensuse.security:def:94163	P	(Important)	2021-01-20
oval:org.opensuse.security:def:75857	P	Security update for xstream (Important)	2021-01-20
oval:org.opensuse.security:def:108267	P	Security update for xstream (Important)	2021-01-20
oval:org.opensuse.security:def:5700	P	Security update for xstream (Important)	2021-01-20
oval:org.opensuse.security:def:94375	P	(Important)	2021-01-20
oval:org.opensuse.security:def:108627	P	Security update for xstream (Important)	2021-01-20
oval:org.opensuse.security:def:93737	P	(Important)	2021-01-20
oval:org.opensuse.security:def:100280	P	(Important)	2021-01-20
oval:org.opensuse.security:def:65568	P	Security update for xstream (Important)	2021-01-20
oval:org.opensuse.security:def:93952	P	(Important)	2021-01-20
oval:org.opensuse.security:def:74636	P	Security update for xstream (Important)	2021-01-20
oval:org.opensuse.security:def:117781	P	Security update for xstream (Important)	2021-01-20

BACK