PT-2020-6136 · Thornton Rose+4 · Xstream+4

Liaogui Zhong

·

Published

2020-12-15

·

Updated

2025-01-15

·

CVE-2020-26258

CVSS v2.0

7.8

High

VectorAV:N/AC:L/Au:N/C:C/I:N/A:N
Name of the Vulnerable Software and Affected Versions XStream versions prior to 1.4.15
Description The issue is related to a Server-Side Forgery Request vulnerability in XStream, a Java library used to serialize objects to XML and back again. This vulnerability can be activated when unmarshalling and may allow a remote attacker to request data from internal resources that are not publicly available by manipulating the processed input stream. The vulnerability does not exist if running Java 15 or higher. No user is affected who followed the recommendation to setup XStream's Security Framework with a whitelist.
Recommendations To resolve the issue for each affected version:
  • For XStream 1.4.14, add the following lines to XStream's setup code:
xstream.denyTypes(new String[]{ "jdk.nashorn.internal.objects.NativeString" });
xstream.denyTypesByRegExp(new String[]{ ".*.ReadAllStream$FileStream" });
  • For XStream 1.4.13 to 1.4.14, add the following lines to XStream's setup code:
xstream.denyTypes(new String[]{ "javax.imageio.ImageIO$ContainsFilter", "jdk.nashorn.internal.objects.NativeString" });
xstream.denyTypes(new Class[]{ java.lang.ProcessBuilder.class });
xstream.denyTypesByRegExp(new String[]{ ".*.ReadAllStream$FileStream" });
  • For XStream 1.4.12 to 1.4.7, setup a blacklist from scratch and deny at least the following types: javax.imageio.ImageIO$ContainsFilter, java.beans.EventHandler, java.lang.ProcessBuilder, jdk.nashorn.internal.objects.NativeString.class, java.lang.Void, and void, and deny several types by name pattern.
xstream.denyTypes(new String[]{ "javax.imageio.ImageIO$ContainsFilter", "jdk.nashorn.internal.objects.NativeString" });
xstream.denyTypes(new Class[]{ java.lang.ProcessBuilder.class, "jdk.nashorn.internal.objects.NativeString", java.beans.EventHandler.class, java.lang.ProcessBuilder.class, java.lang.Void.class, void.class });
xstream.denyTypesByRegExp(new String[]{ ".*$LazyIterator", "javax.crypto..*", ".*.ReadAllStream$FileStream" });
  • For XStream 1.4.6 or below, register an own converter to prevent the unmarshalling of the currently known critical types of the Java runtime.
xstream.registerConverter(new Converter() {
 public boolean canConvert(Class type) {
  return type != null && (type == java.beans.EventHandler.class || type == java.lang.ProcessBuilder.class
    || type.getName().equals("javax.imageio.ImageIO$ContainsFilter") || type.getName().equals("jdk.nashorn.internal.objects.NativeString")
    || type == java.lang.Void.class || void.class || Proxy.isProxy(type))
    || type.getName().startsWith("javax.crypto.") || type.getName().endsWith("$LazyIterator") || type.getName().endsWith(".ReadAllStream$FileStream"));
 }

 public Object unmarshal(HierarchicalStreamReader reader, UnmarshallingContext context) {
  throw new ConversionException("Unsupported type due to security reasons.");
 }

 public void marshal(Object source, HierarchicalStreamWriter writer, MarshallingContext context) {
  throw new ConversionException("Unsupported type due to security reasons.");
 }
}, XStream.PRIORITY LOW);

Exploit

Fix

SSRF

Weakness Enumeration

CWE-918

Related Identifiers

ALT-PU-2022-7660
BDU:2021-03157
CVE-2020-26258
DLA-2507-1
DSA-4828-1
GHSA-4CCH-WXPW-8P28
OESA-2021-1015
OPENSUSE-SU-2021:0140-1
OPENSUSE-SU-2021_0140-1
OPENSUSE-SU-2024:10592-1
SUSE-SU-2021:0176-1
SUSE-SU-2021:0906-1
USN-4714-1
USN-4943-1
USN-6978-1

Affected Products

Alt Linux
Linuxmint
Suse
Ubuntu
Xstream