Bug 1180146 (CVE-2020-26258)

Summary: VUL-0: CVE-2020-26258: xstream: Server-Side Forgery Request vulnerability can be activated when unmarshalling
Product: [Novell Products] SUSE Security Incidents Reporter: Alexander Bergmann <abergmann>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: atoptsoglou, gianluca.gabrielli, mc, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/273598/
Whiteboard: CVSSv3.1:SUSE:CVE-2020-26258:4.3:(AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Alexander Bergmann 2020-12-17 08:29:34 UTC
CVE-2020-26258

XStream is a Java library to serialize objects to XML and back again. In XStream
before version 1.4.15, a Server-Side Forgery Request vulnerability can be
activated when unmarshalling. The vulnerability may allow a remote attacker to
request data from internal resources that are not publicly available only by
manipulating the processed input stream. If you rely on XStream's default
blacklist of the Security Framework, you will have to use at least version
1.4.15. The reported vulnerability does not exist if running Java 15 or higher.
No user is affected who followed the recommendation to setup XStream's Security
Framework with a whitelist! Anyone relying on XStream's default blacklist can
immediately switch to a whilelist for the allowed types to avoid the
vulnerability. Users of XStream 1.4.14 or below who still want to use XStream
default blacklist can use a workaround described in more detailed in the
referenced advisories.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-26258
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26258
https://github.com/x-stream/xstream/security/advisories/GHSA-4cch-wxpw-8p28
https://x-stream.github.io/CVE-2020-26258.html
Comment 1 OBSbugzilla Bot 2021-01-18 10:50:11 UTC
This is an autogenerated message for OBS integration:
This bug (1180146) was mentioned in
https://build.opensuse.org/request/show/864027 Factory / xstream
Comment 3 Swamp Workflow Management 2021-01-20 14:17:38 UTC
SUSE-SU-2021:0176-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1180145,1180146,1180994
CVE References: CVE-2020-26217,CVE-2020-26258,CVE-2020-26259
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Development Tools 15-SP2 (src):    xstream-1.4.15-3.3.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 4 Swamp Workflow Management 2021-01-22 20:16:01 UTC
openSUSE-SU-2021:0140-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1180145,1180146,1180994
CVE References: CVE-2020-26217,CVE-2020-26258,CVE-2020-26259
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    xstream-1.4.15-lp152.2.3.1
Comment 7 Swamp Workflow Management 2021-03-19 20:23:31 UTC
SUSE-RU-2021:0896-1: An update that has 29 recommended fixes can now be installed.

Category: recommended (low)
Bug References: 1157711,1173893,1175660,1177508,1179579,1180145,1180146,1180224,1180439,1180547,1180558,1180757,1180994,1181048,1181165,1181228,1181290,1181416,1181423,1181635,1181807,1181814,1182001,1182006,1182008,1182071,1182200,1182492,1182685
CVE References: 
JIRA References: 
Sources used:
SUSE Manager Server 4.1 (src):    release-notes-susemanager-4.1.6-3.41.1
SUSE Manager Retail Branch Server 4.1 (src):    release-notes-susemanager-proxy-4.1.6-3.29.1
SUSE Manager Proxy 4.1 (src):    release-notes-susemanager-proxy-4.1.6-3.29.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 8 Swamp Workflow Management 2021-03-19 21:02:58 UTC
SUSE-SU-2021:0906-1: An update that solves four vulnerabilities and has 25 fixes is now available.

Category: security (moderate)
Bug References: 1157711,1173893,1175660,1177508,1179579,1180145,1180146,1180224,1180439,1180547,1180558,1180757,1180994,1181048,1181165,1181228,1181290,1181416,1181423,1181635,1181807,1181814,1182001,1182006,1182008,1182071,1182200,1182492,1182685
CVE References: CVE-2020-26217,CVE-2020-26258,CVE-2020-26259,CVE-2020-28477
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for SUSE Manager Server 4.1 (src):    cobbler-3.0.0+git20190806.32c4bae0-5.6.4, grafana-formula-0.4.0-3.6.2, mgr-libmod-4.1.7-3.16.2, mgr-osad-4.1.5-2.9.4, prometheus-exporters-formula-0.9.0-3.19.2, prometheus-formula-0.3.1-3.6.2, py26-compat-salt-2016.11.10-6.11.2, rhnlib-4.1.3-4.3.2, smdba-1.7.8-0.3.6.2, spacewalk-backend-4.1.21-4.22.7, spacewalk-client-tools-4.1.9-4.12.4, spacewalk-config-4.1.5-3.3.2, spacewalk-java-4.1.30-3.31.7, spacewalk-utils-4.1.14-3.12.2, spacewalk-web-4.1.23-3.18.6, subscription-matcher-0.26-3.6.2, susemanager-4.1.24-3.20.2, susemanager-doc-indexes-4.1-11.28.4, susemanager-docs_en-4.1-11.28.2, susemanager-schema-4.1.19-3.24.4, susemanager-sls-4.1.21-3.26.2, xpp3-1.1.4c-11.2.2, xstream-1.4.15-3.5.2
SUSE Linux Enterprise Module for SUSE Manager Proxy 4.1 (src):    mgr-osad-4.1.5-2.9.4, rhnlib-4.1.3-4.3.2, spacewalk-backend-4.1.21-4.22.7, spacewalk-client-tools-4.1.9-4.12.4, spacewalk-proxy-4.1.4-3.9.4, spacewalk-proxy-installer-4.1.6-3.3.2, spacewalk-web-4.1.23-3.18.6

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 9 Michael Calmer 2022-02-09 15:56:57 UTC
Security Team: Please check, but I think this is already fixed since a long time.
Comment 10 Gianluca Gabrielli 2022-02-21 12:45:24 UTC
I see a missing submission for:
 - SUSE:SLE-15-SP1:Update:Products:Manager40:Update/xstream

But if I'm not mistaken this product is EOL, so we can ignore it. Could you confirm that?
Comment 11 Michael Calmer 2022-02-21 13:08:24 UTC
Yes, SUSE Manager 4.0 is EOL.