{
  "threat_severity" : "Important",
  "public_date" : "2020-11-16T19:40:00Z",
  "bugzilla" : {
    "description" : "XStream: remote code execution due to insecure XML deserialization when relying on blocklists",
    "id" : "1898907",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1898907"
  },
  "cvss3" : {
    "cvss3_base_score" : "9.0",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-502",
  "details" : [ "XStream before version 1.4.14 is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker to run arbitrary shell commands only by manipulating the processed input stream. Only users who rely on blocklists are affected. Anyone using XStream's Security Framework allowlist is not affected. The linked advisory provides code workarounds for users who cannot upgrade. The issue is fixed in version 1.4.14.", "A flaw was found in xstream. An unsafe deserialization of user-supplied XML, in conjunction with relying on the default deny list, allows a remote attacker to perform a variety of attacks including a remote code execution of arbitrary code in the context of the JVM running the XStream application. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability." ],
  "statement" : "OpenShift Container Platform (OCP) delivers jenkins package with bundled XStream library. Due to JEP-200 Jenkins project [1] and advisory SECURITY-383 [2], OCP jenkins package is not affected by this flaw.\n[1] https://github.com/jenkinsci/jep/blob/master/jep/200/README.adoc\n[2] https://www.jenkins.io/security/advisory/2017-02-01/  (see SECURITY-383 / CVE-2017-2608)",
  "affected_release" : [ {
    "product_name" : "Red Hat Data Grid 8.1.1",
    "release_date" : "2021-02-08T00:00:00Z",
    "advisory" : "RHSA-2021:0433",
    "cpe" : "cpe:/a:redhat:jboss_data_grid:8",
    "package" : "xstream",
    "impact" : "low"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "release_date" : "2021-01-18T00:00:00Z",
    "advisory" : "RHSA-2021:0162",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7",
    "package" : "xstream-0:1.3.1-12.el7_9"
  }, {
    "product_name" : "Red Hat Fuse 7.10",
    "release_date" : "2021-12-14T00:00:00Z",
    "advisory" : "RHSA-2021:5134",
    "cpe" : "cpe:/a:redhat:jboss_fuse:7",
    "package" : "xstream",
    "impact" : "moderate"
  }, {
    "product_name" : "Red Hat Fuse/AMQ 6.3.18",
    "release_date" : "2021-02-02T00:00:00Z",
    "advisory" : "RHSA-2021:0384",
    "cpe" : "cpe:/a:redhat:jboss_amq:6.3",
    "package" : "xstream"
  }, {
    "product_name" : "Red Hat Fuse/AMQ 6.3.18",
    "release_date" : "2021-02-02T00:00:00Z",
    "advisory" : "RHSA-2021:0384",
    "cpe" : "cpe:/a:redhat:jboss_fuse:6.3",
    "package" : "xstream",
    "impact" : "moderate"
  }, {
    "product_name" : "Red Hat Integration",
    "release_date" : "2021-08-18T00:00:00Z",
    "advisory" : "RHSA-2021:3205",
    "cpe" : "cpe:/a:redhat:integration:1"
  }, {
    "product_name" : "Red Hat Integration Camel Quarkus 1",
    "release_date" : "2021-11-23T00:00:00Z",
    "advisory" : "RHSA-2021:4767",
    "cpe" : "cpe:/a:redhat:camel_quarkus:2.2"
  }, {
    "product_name" : "RHDM 7.9.1",
    "release_date" : "2021-01-13T00:00:00Z",
    "advisory" : "RHSA-2021:0106",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_brms_platform:7.9",
    "package" : "xstream"
  }, {
    "product_name" : "RHPAM 7.9.1",
    "release_date" : "2021-01-13T00:00:00Z",
    "advisory" : "RHSA-2021:0105",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform:7.9",
    "package" : "xstream"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat BPM Suite 6",
    "fix_state" : "Out of support scope",
    "package_name" : "xstream",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform"
  }, {
    "product_name" : "Red Hat Integration Camel K 1",
    "fix_state" : "Affected",
    "package_name" : "xstream",
    "cpe" : "cpe:/a:redhat:integration:1",
    "impact" : "moderate"
  }, {
    "product_name" : "Red Hat Integration Camel Quarkus 1",
    "fix_state" : "Affected",
    "package_name" : "xstream",
    "cpe" : "cpe:/a:redhat:camel_quarkus:2",
    "impact" : "moderate"
  }, {
    "product_name" : "Red Hat JBoss BRMS 6",
    "fix_state" : "Out of support scope",
    "package_name" : "xstream",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_brms_platform:6"
  }, {
    "product_name" : "Red Hat JBoss Data Grid 7",
    "fix_state" : "Out of support scope",
    "package_name" : "xstream",
    "cpe" : "cpe:/a:redhat:jboss_data_grid:7",
    "impact" : "low"
  }, {
    "product_name" : "Red Hat JBoss Fuse Service Works 6",
    "fix_state" : "Out of support scope",
    "package_name" : "xstream",
    "cpe" : "cpe:/a:redhat:jboss_fuse_service_works:6"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 3.11",
    "fix_state" : "Not affected",
    "package_name" : "jenkins",
    "cpe" : "cpe:/a:redhat:openshift:3.11"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Not affected",
    "package_name" : "jenkins",
    "cpe" : "cpe:/a:redhat:openshift:4"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2020-26217\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-26217" ],
  "name" : "CVE-2020-26217",
  "mitigation" : {
    "value" : "Depending on the version of XStream used there are various usage patterns that mitigate this flaw, though we would strongly recommend using the allow list approach if at all possible as there are likely more class combinations the deny list approach may not address.\nAllow list approach\n```java\nXStream xstream = new XStream();\nXStream.setupDefaultSecurity(xstream);\nxstream.allowTypesByWildcard(new String[] {\"com.misc.classname\"})\n```\nDeny list for XStream 1.4.13\n```java\nxstream.denyTypes(new String[]{ \"javax.imageio.ImageIO$ContainsFilter\" });\nxstream.denyTypes(new Class[]{ java.lang.ProcessBuilder.class });\n```\nDeny list for XStream 1.4.7 -> 1.4.12\n```java\nxstream.denyTypes(new String[]{ \"javax.imageio.ImageIO$ContainsFilter\" });\nxstream.denyTypes(new Class[]{ java.lang.ProcessBuilder.class, java.beans.EventHandler.class, java.lang.ProcessBuilder.class, java.lang.Void.class, void.class });\n```\nDeny list for versions prior to XStream 1.4.7\n```java\nxstream.registerConverter(new Converter() {\npublic boolean canConvert(Class type) {\nreturn type != null && (type == java.beans.EventHandler.class || type == java.lang.ProcessBuilder.class || type == java.lang.Void.class || void.class || type.getName().equals(\"javax.imageio.ImageIO$ContainsFilter\") || Proxy.isProxy(type));\n}\npublic Object unmarshal(HierarchicalStreamReader reader, UnmarshallingContext context) {\nthrow new ConversionException(\"Unsupported type due to security reasons.\");\n}\npublic void marshal(Object source, HierarchicalStreamWriter writer, MarshallingContext context) {\nthrow new ConversionException(\"Unsupported type due to security reasons.\");\n}\n}, XStream.PRIORITY_LOW);\n```",
    "lang" : "en:us"
  },
  "csaw" : false
}