PT-2020-6135 · Thoughtworks+4 · Xstream+4

Liaogui Zhong

·

Published

2020-12-15

·

Updated

2025-09-29

·

CVE-2020-26259

CVSS v2.0

8.5

High

VectorAV:N/AC:L/Au:N/C:N/I:C/A:P
Name of the Vulnerable Software and Affected Versions XStream versions prior to 1.4.15
Description The issue allows a remote attacker to delete arbitrary files on the host as long as the executing process has sufficient rights, by manipulating the processed input stream. This can be done when unmarshalling, exploiting the lack of proper security measures in the XStream library. No user is affected if they have set up XStream's Security Framework with a whitelist. The vulnerability does not exist when running Java 15 or higher.
Recommendations For XStream version 1.4.14, add the following lines to XStream's setup code:
xstream.denyTypes(new String[]{ "jdk.nashorn.internal.objects.NativeString" });
xstream.denyTypesByRegExp(new String[]{ ".*.ReadAllStream$FileStream" });
For XStream versions 1.4.14 to 1.4.13, add the following lines to XStream's setup code:
xstream.denyTypes(new String[]{ "javax.imageio.ImageIO$ContainsFilter", "jdk.nashorn.internal.objects.NativeString" });
xstream.denyTypes(new Class[]{ java.lang.ProcessBuilder.class });
xstream.denyTypesByRegExp(new String[]{ ".*.ReadAllStream$FileStream" });
For XStream versions 1.4.12 to 1.4.7, set up a blacklist from scratch and deny at least the following types: javax.imageio.ImageIO$ContainsFilter, java.beans.EventHandler, java.lang.ProcessBuilder, jdk.nashorn.internal.objects.NativeString.class, java.lang.Void, and void, and deny several types by name pattern:
xstream.denyTypes(new String[]{ "javax.imageio.ImageIO$ContainsFilter", "jdk.nashorn.internal.objects.NativeString" });
xstream.denyTypes(new Class[]{ java.lang.ProcessBuilder.class, "jdk.nashorn.internal.objects.NativeString", java.beans.EventHandler.class, java.lang.ProcessBuilder.class, java.lang.Void.class, void.class });
xstream.denyTypesByRegExp(new String[]{ ".*$LazyIterator", "javax.crypto..*", ".*.ReadAllStream$FileStream" });
For XStream versions 1.4.6 or below, register an own converter to prevent the unmarshalling of critical types:
xstream.registerConverter(new Converter() {
 public boolean canConvert(Class type) {
  return type != null && (type == java.beans.EventHandler.class || type == java.lang.ProcessBuilder.class
    || type.getName().equals("javax.imageio.ImageIO$ContainsFilter") || type.getName().equals("jdk.nashorn.internal.objects.NativeString")
    || type == java.lang.Void.class || void.class || Proxy.isProxy(type))
    || type.getName().startsWith("javax.crypto.") || type.getName().endsWith("$LazyIterator") || type.getName().endsWith(".ReadAllStream$FileStream"));
 }

 public Object unmarshal(HierarchicalStreamReader reader, UnmarshallingContext context) {
  throw new ConversionException("Unsupported type due to security reasons.");
 }

 public void marshal(Object source, HierarchicalStreamWriter writer, MarshallingContext context) {
  throw new ConversionException("Unsupported type due to security reasons.");
 }
}, XStream.PRIORITY LOW);

Exploit

Fix

OS Command Injection

Weakness Enumeration

CWE-78

Related Identifiers

ALSA-2025_16880
ALT-PU-2022-7660
BDU:2021-03156
CVE-2020-26259
DLA-2507-1
DSA-4828-1
GHSA-JFVX-7WRX-43FH
OESA-2021-1015
OPENSUSE-SU-2021:0140-1
OPENSUSE-SU-2021_0140-1
OPENSUSE-SU-2024:10592-1
SUSE-SU-2021:0176-1
SUSE-SU-2021:0906-1
USN-4714-1
USN-4943-1
USN-6978-1

Affected Products

Alt Linux
Linuxmint
Suse
Ubuntu
Xstream