XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.15, a Server-Side Forgery Request vulnerability can be activated when unmarshalling. The vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream. If you rely on XStreams default blacklist of the Security Framework, you will have to use at least version 1.4.15. The reported vulnerability does not exist if running Java 15 or higher. No user is affected who followed the recommendation to setup XStreams Security Framework with a whitelist! Anyone relying on XStreams default blacklist can immediately switch to a whilelist for the allowed types to avoid the vulnerability. Users of XStream 1.4.14 or below who still want to use XStream default blacklist can use a workaround described in more detailed in the referenced advisories.
Weakness
The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Struts | Apache | * | 6.0.0 (excluding) |
| Red Hat Data Grid 8.2.0 | RedHat | xstream | * |
| Red Hat Fuse 7.9 | RedHat | xstream | * |
| Red Hat Integration | RedHat | * | |
| Red Hat Integration Camel Quarkus 2 | RedHat | * | |
| RHDM 7.11.0 | RedHat | xstream | * |
| RHPAM 7.11.0 | RedHat | xstream | * |
| Libxstream-java | Ubuntu | bionic | * |
| Libxstream-java | Ubuntu | esm-apps/bionic | * |
| Libxstream-java | Ubuntu | esm-apps/focal | * |
| Libxstream-java | Ubuntu | esm-apps/xenial | * |
| Libxstream-java | Ubuntu | esm-infra-legacy/trusty | * |
| Libxstream-java | Ubuntu | focal | * |
| Libxstream-java | Ubuntu | groovy | * |
| Libxstream-java | Ubuntu | trusty | * |
| Libxstream-java | Ubuntu | trusty/esm | * |
| Libxstream-java | Ubuntu | upstream | * |
| Libxstream-java | Ubuntu | xenial | * |
Related Attack Patterns
References
- https://github.com/x-stream/xstream/security/advisories/GHSA-4cch-wxpw-8p28
- https://lists.apache.org/thread.html/r97993e3d78e1f5389b7b172ba9f308440830ce5f051ee62714a0aa34@%3Ccommits.struts.apache.org%3E
- https://lists.debian.org/debian-lts-announce/2020/12/msg00042.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB
- https://security.netapp.com/advisory/ntap-20210409-0005
- https://www.debian.org/security/2021/dsa-4828
- https://x-stream.github.io/CVE-2020-26258.html
- https://github.com/x-stream/xstream/security/advisories/GHSA-4cch-wxpw-8p28
- https://lists.apache.org/thread.html/r97993e3d78e1f5389b7b172ba9f308440830ce5f051ee62714a0aa34%40%3Ccommits.struts.apache.org%3E
- https://lists.debian.org/debian-lts-announce/2020/12/msg00042.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/
- https://security.netapp.com/advisory/ntap-20210409-0005/
- https://www.debian.org/security/2021/dsa-4828
- https://x-stream.github.io/CVE-2020-26258.html