Bug 1180145 - (CVE-2020-26259) VUL-0: CVE-2020-26259: xstream: Arbitrary File Deletion on the local host when unmarshalling
(CVE-2020-26259)
VUL-0: CVE-2020-26259: xstream: Arbitrary File Deletion on the local host whe...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/273599/
CVSSv3.1:SUSE:CVE-2020-26259:5.4:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2020-12-17 08:27 UTC by Alexander Bergmann
Modified: 2022-02-21 14:06 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2020-12-17 08:27:16 UTC
CVE-2020-26259

XStream is a Java library to serialize objects to XML and back again. In XStream
before version 1.4.15, is vulnerable to an Arbitrary File Deletion on the local
host when unmarshalling. The vulnerability may allow a remote attacker to delete
arbitrary know files on the host as log as the executing process has sufficient
rights only by manipulating the processed input stream. If you rely on XStream's
default blacklist of the Security Framework, you will have to use at least
version 1.4.15. The reported vulnerability does not exist running Java 15 or
higher. No user is affected, who followed the recommendation to setup XStream's
Security Framework with a whitelist! Anyone relying on XStream's default
blacklist can immediately switch to a whilelist for the allowed types to avoid
the vulnerability. Users of XStream 1.4.14 or below who still want to use
XStream default blacklist can use a workaround described in more detailed in the
referenced advisories.

Affected versions: < 1.4.14
Patched versions:    1.4.15

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-26259
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26259
https://github.com/x-stream/xstream/security/advisories/GHSA-jfvx-7wrx-43fh
https://x-stream.github.io/CVE-2020-26259.html
Comment 1 OBSbugzilla Bot 2021-01-18 10:50:06 UTC
This is an autogenerated message for OBS integration:
This bug (1180145) was mentioned in
https://build.opensuse.org/request/show/864027 Factory / xstream
Comment 3 Swamp Workflow Management 2021-01-20 14:17:32 UTC
SUSE-SU-2021:0176-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1180145,1180146,1180994
CVE References: CVE-2020-26217,CVE-2020-26258,CVE-2020-26259
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Development Tools 15-SP2 (src):    xstream-1.4.15-3.3.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 4 Swamp Workflow Management 2021-01-22 20:15:54 UTC
openSUSE-SU-2021:0140-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1180145,1180146,1180994
CVE References: CVE-2020-26217,CVE-2020-26258,CVE-2020-26259
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    xstream-1.4.15-lp152.2.3.1
Comment 7 Swamp Workflow Management 2021-03-19 20:23:23 UTC
SUSE-RU-2021:0896-1: An update that has 29 recommended fixes can now be installed.

Category: recommended (low)
Bug References: 1157711,1173893,1175660,1177508,1179579,1180145,1180146,1180224,1180439,1180547,1180558,1180757,1180994,1181048,1181165,1181228,1181290,1181416,1181423,1181635,1181807,1181814,1182001,1182006,1182008,1182071,1182200,1182492,1182685
CVE References: 
JIRA References: 
Sources used:
SUSE Manager Server 4.1 (src):    release-notes-susemanager-4.1.6-3.41.1
SUSE Manager Retail Branch Server 4.1 (src):    release-notes-susemanager-proxy-4.1.6-3.29.1
SUSE Manager Proxy 4.1 (src):    release-notes-susemanager-proxy-4.1.6-3.29.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 8 Swamp Workflow Management 2021-03-19 21:02:50 UTC
SUSE-SU-2021:0906-1: An update that solves four vulnerabilities and has 25 fixes is now available.

Category: security (moderate)
Bug References: 1157711,1173893,1175660,1177508,1179579,1180145,1180146,1180224,1180439,1180547,1180558,1180757,1180994,1181048,1181165,1181228,1181290,1181416,1181423,1181635,1181807,1181814,1182001,1182006,1182008,1182071,1182200,1182492,1182685
CVE References: CVE-2020-26217,CVE-2020-26258,CVE-2020-26259,CVE-2020-28477
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for SUSE Manager Server 4.1 (src):    cobbler-3.0.0+git20190806.32c4bae0-5.6.4, grafana-formula-0.4.0-3.6.2, mgr-libmod-4.1.7-3.16.2, mgr-osad-4.1.5-2.9.4, prometheus-exporters-formula-0.9.0-3.19.2, prometheus-formula-0.3.1-3.6.2, py26-compat-salt-2016.11.10-6.11.2, rhnlib-4.1.3-4.3.2, smdba-1.7.8-0.3.6.2, spacewalk-backend-4.1.21-4.22.7, spacewalk-client-tools-4.1.9-4.12.4, spacewalk-config-4.1.5-3.3.2, spacewalk-java-4.1.30-3.31.7, spacewalk-utils-4.1.14-3.12.2, spacewalk-web-4.1.23-3.18.6, subscription-matcher-0.26-3.6.2, susemanager-4.1.24-3.20.2, susemanager-doc-indexes-4.1-11.28.4, susemanager-docs_en-4.1-11.28.2, susemanager-schema-4.1.19-3.24.4, susemanager-sls-4.1.21-3.26.2, xpp3-1.1.4c-11.2.2, xstream-1.4.15-3.5.2
SUSE Linux Enterprise Module for SUSE Manager Proxy 4.1 (src):    mgr-osad-4.1.5-2.9.4, rhnlib-4.1.3-4.3.2, spacewalk-backend-4.1.21-4.22.7, spacewalk-client-tools-4.1.9-4.12.4, spacewalk-proxy-4.1.4-3.9.4, spacewalk-proxy-installer-4.1.6-3.3.2, spacewalk-web-4.1.23-3.18.6

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 9 Michael Calmer 2022-02-09 16:00:49 UTC
Security Team: Seems fixes are submitted any already release. Please check and close the bug
Comment 10 Gianluca Gabrielli 2022-02-21 12:44:46 UTC
I see a missing submission for:
 - SUSE:SLE-15-SP1:Update:Products:Manager40:Update/xstream

But if I'm not mistaken this product is EOL, so we can ignore it. Could you confirm that?
Comment 11 Michael Calmer 2022-02-21 13:07:48 UTC
Yes, SUSE Manager 4.0 is EOL.