Bugzilla – Bug 1180146
VUL-0: CVE-2020-26258: xstream: Server-Side Forgery Request vulnerability can be activated when unmarshalling
Last modified: 2022-02-21 14:07:08 UTC
CVE-2020-26258 XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.15, a Server-Side Forgery Request vulnerability can be activated when unmarshalling. The vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.15. The reported vulnerability does not exist if running Java 15 or higher. No user is affected who followed the recommendation to setup XStream's Security Framework with a whitelist! Anyone relying on XStream's default blacklist can immediately switch to a whilelist for the allowed types to avoid the vulnerability. Users of XStream 1.4.14 or below who still want to use XStream default blacklist can use a workaround described in more detailed in the referenced advisories. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-26258 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26258 https://github.com/x-stream/xstream/security/advisories/GHSA-4cch-wxpw-8p28 https://x-stream.github.io/CVE-2020-26258.html
This is an autogenerated message for OBS integration: This bug (1180146) was mentioned in https://build.opensuse.org/request/show/864027 Factory / xstream
SUSE-SU-2021:0176-1: An update that fixes three vulnerabilities is now available. Category: security (important) Bug References: 1180145,1180146,1180994 CVE References: CVE-2020-26217,CVE-2020-26258,CVE-2020-26259 JIRA References: Sources used: SUSE Linux Enterprise Module for Development Tools 15-SP2 (src): xstream-1.4.15-3.3.2 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2021:0140-1: An update that fixes three vulnerabilities is now available. Category: security (important) Bug References: 1180145,1180146,1180994 CVE References: CVE-2020-26217,CVE-2020-26258,CVE-2020-26259 JIRA References: Sources used: openSUSE Leap 15.2 (src): xstream-1.4.15-lp152.2.3.1
SUSE-RU-2021:0896-1: An update that has 29 recommended fixes can now be installed. Category: recommended (low) Bug References: 1157711,1173893,1175660,1177508,1179579,1180145,1180146,1180224,1180439,1180547,1180558,1180757,1180994,1181048,1181165,1181228,1181290,1181416,1181423,1181635,1181807,1181814,1182001,1182006,1182008,1182071,1182200,1182492,1182685 CVE References: JIRA References: Sources used: SUSE Manager Server 4.1 (src): release-notes-susemanager-4.1.6-3.41.1 SUSE Manager Retail Branch Server 4.1 (src): release-notes-susemanager-proxy-4.1.6-3.29.1 SUSE Manager Proxy 4.1 (src): release-notes-susemanager-proxy-4.1.6-3.29.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2021:0906-1: An update that solves four vulnerabilities and has 25 fixes is now available. Category: security (moderate) Bug References: 1157711,1173893,1175660,1177508,1179579,1180145,1180146,1180224,1180439,1180547,1180558,1180757,1180994,1181048,1181165,1181228,1181290,1181416,1181423,1181635,1181807,1181814,1182001,1182006,1182008,1182071,1182200,1182492,1182685 CVE References: CVE-2020-26217,CVE-2020-26258,CVE-2020-26259,CVE-2020-28477 JIRA References: Sources used: SUSE Linux Enterprise Module for SUSE Manager Server 4.1 (src): cobbler-3.0.0+git20190806.32c4bae0-5.6.4, grafana-formula-0.4.0-3.6.2, mgr-libmod-4.1.7-3.16.2, mgr-osad-4.1.5-2.9.4, prometheus-exporters-formula-0.9.0-3.19.2, prometheus-formula-0.3.1-3.6.2, py26-compat-salt-2016.11.10-6.11.2, rhnlib-4.1.3-4.3.2, smdba-1.7.8-0.3.6.2, spacewalk-backend-4.1.21-4.22.7, spacewalk-client-tools-4.1.9-4.12.4, spacewalk-config-4.1.5-3.3.2, spacewalk-java-4.1.30-3.31.7, spacewalk-utils-4.1.14-3.12.2, spacewalk-web-4.1.23-3.18.6, subscription-matcher-0.26-3.6.2, susemanager-4.1.24-3.20.2, susemanager-doc-indexes-4.1-11.28.4, susemanager-docs_en-4.1-11.28.2, susemanager-schema-4.1.19-3.24.4, susemanager-sls-4.1.21-3.26.2, xpp3-1.1.4c-11.2.2, xstream-1.4.15-3.5.2 SUSE Linux Enterprise Module for SUSE Manager Proxy 4.1 (src): mgr-osad-4.1.5-2.9.4, rhnlib-4.1.3-4.3.2, spacewalk-backend-4.1.21-4.22.7, spacewalk-client-tools-4.1.9-4.12.4, spacewalk-proxy-4.1.4-3.9.4, spacewalk-proxy-installer-4.1.6-3.3.2, spacewalk-web-4.1.23-3.18.6 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Security Team: Please check, but I think this is already fixed since a long time.
I see a missing submission for: - SUSE:SLE-15-SP1:Update:Products:Manager40:Update/xstream But if I'm not mistaken this product is EOL, so we can ignore it. Could you confirm that?
Yes, SUSE Manager 4.0 is EOL.