Thoughtworks · Xstream · CVE-2020-26259
**Name of the Vulnerable Software and Affected Versions**
XStream versions prior to 1.4.15
**Description**
The issue allows a remote attacker to delete arbitrary files on the host as long as the executing process has sufficient rights, by manipulating the processed input stream. This can be done when unmarshalling, exploiting the lack of proper security measures in the XStream library. No user is affected if they have set up XStream's Security Framework with a whitelist. The vulnerability does not exist when running Java 15 or higher.
**Recommendations**
For XStream version 1.4.14, add the following lines to XStream's setup code:
```java
xstream.denyTypes(new String[]{ "jdk.nashorn.internal.objects.NativeString" });
xstream.denyTypesByRegExp(new String[]{ ".*.ReadAllStream$FileStream" });
```
For XStream versions 1.4.14 to 1.4.13, add the following lines to XStream's setup code:
```java
xstream.denyTypes(new String[]{ "javax.imageio.ImageIO$ContainsFilter", "jdk.nashorn.internal.objects.NativeString" });
xstream.denyTypes(new Class[]{ java.lang.ProcessBuilder.class });
xstream.denyTypesByRegExp(new String[]{ ".*.ReadAllStream$FileStream" });
```
For XStream versions 1.4.12 to 1.4.7, set up a blacklist from scratch and deny at least the following types: `javax.imageio.ImageIO$ContainsFilter`, `java.beans.EventHandler`, `java.lang.ProcessBuilder`, `jdk.nashorn.internal.objects.NativeString.class`, `java.lang.Void`, and `void`, and deny several types by name pattern:
```java
xstream.denyTypes(new String[]{ "javax.imageio.ImageIO$ContainsFilter", "jdk.nashorn.internal.objects.NativeString" });
xstream.denyTypes(new Class[]{ java.lang.ProcessBuilder.class, "jdk.nashorn.internal.objects.NativeString", java.beans.EventHandler.class, java.lang.ProcessBuilder.class, java.lang.Void.class, void.class });
xstream.denyTypesByRegExp(new String[]{ ".*$LazyIterator", "javax.crypto..*", ".*.ReadAllStream$FileStream" });
```
For XStream versions 1.4.6 or below, register an own converter to prevent the unmarshalling of critical types:
```java
xstream.registerConverter(new Converter() {
public boolean canConvert(Class type) {
return type != null && (type == java.beans.EventHandler.class || type == java.lang.ProcessBuilder.class
|| type.getName().equals("javax.imageio.ImageIO$ContainsFilter") || type.getName().equals("jdk.nashorn.internal.objects.NativeString")
|| type == java.lang.Void.class || void.class || Proxy.isProxy(type))
|| type.getName().startsWith("javax.crypto.") || type.getName().endsWith("$LazyIterator") || type.getName().endsWith(".ReadAllStream$FileStream"));
}
public Object unmarshal(HierarchicalStreamReader reader, UnmarshallingContext context) {
throw new ConversionException("Unsupported type due to security reasons.");
}
public void marshal(Object source, HierarchicalStreamWriter writer, MarshallingContext context) {
throw new ConversionException("Unsupported type due to security reasons.");
}
}, XStream.PRIORITY LOW);
```