CVE-2020-26217
Arbitrary Shell Commands vulnerability in com.thoughtworks.xstream:xstream
What is CVE-2020-26217 About?
This vulnerability allows a remote attacker to execute arbitrary shell commands by manipulating the processed input stream of XStream. While a default blacklist was provided, it can be bypassed, making it a critical threat. Users following white-listing recommendations are safe, but those relying on the flawed blacklist are vulnerable to straightforward exploitation.
Affected Software
Technical Details
The vulnerability in XStream allows for remote code execution by processing a specially crafted input stream containing malicious serialized objects. Specifically, an attacker can manipulate the input stream to trigger the instantiation of classes such as `javax.imageio.ImageIO$ContainsFilter` or `java.lang.ProcessBuilder`. When deserialized, these objects can invoke methods that execute arbitrary shell commands on the underlying system. The flaw stems from XStream's default blacklist approach to security, which failed to adequately block all dangerous types or could be bypassed, especially with versions prior to 1.4.14.
What is the Impact of CVE-2020-26217?
Successful exploitation may allow attackers to execute arbitrary shell commands, leading to full system compromise, data exfiltration, or denial of service.
What is the Exploitability of CVE-2020-26217?
Exploitation involves crafting a malicious input stream (e.g., XML) that targets specific vulnerable classes in the Java runtime environment. The complexity is moderate, requiring knowledge of XStream's deserialization process and Java gadget chains. No authentication is typically required if the application processes untrusted input through a vulnerable XStream instance. It is a remote attack, as the attacker sends the malicious data to the target system. The likelihood of exploitation is significantly higher if the application uses XStream's default blacklist rather than a strict whitelist for deserialized types.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| Al1ex | Link | CVE-2020-26217 && XStream RCE |
| novysodope | Link | CVE-2020-26217 XStream RCE POC |
| epicosy | Link | xstream with CVE-2020-26217 |
What are the Available Fixes for CVE-2020-26217?
Available Upgrade Options
- com.thoughtworks.xstream:xstream
- <1.4.14-java7 → Upgrade to 1.4.14-java7
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://lists.apache.org/thread.html/redde3609b89b2a4ff18b536a06ef9a77deb93d47fda8ed28086fa8c3@%3Cissues.activemq.apache.org%3E
- https://lists.apache.org/thread.html/r2de526726e7f4db4a7cb91b7355070779f51a84fd985c6529c2f4e9e%40%3Cissues.activemq.apache.org%3E
- https://www.debian.org/security/2020/dsa-4811
- https://lists.debian.org/debian-lts-announce/2020/12/msg00001.html
- https://x-stream.github.io/CVE-2020-26217.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://github.com/x-stream/xstream
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://github.com/x-stream/xstream/security/advisories/GHSA-mw36-7c6c-q4q2
What are Similar Vulnerabilities to CVE-2020-26217?
Similar Vulnerabilities: CVE-2021-39145 , CVE-2021-21341 , CVE-2016-3674 , CVE-2017-7957 , CVE-2017-1000487
