vulnerability

Oracle Linux: CVE-2020-26217: ELSA-2021-0162: xstream security update (IMPORTANT) (Multiple Advisories)

Severity
8
CVSS
(AV:N/AC:H/Au:N/C:C/I:C/A:C)
Published
2020-11-16
Added
2021-01-20
Modified
2025-01-07

Description

XStream before version 1.4.14 is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker to run arbitrary shell commands only by manipulating the processed input stream. Only users who rely on blocklists are affected. Anyone using XStream's Security Framework allowlist is not affected. The linked advisory provides code workarounds for users who cannot upgrade. The issue is fixed in version 1.4.14.
A flaw was found in xstream. An unsafe deserialization of user-supplied XML, in conjunction with relying on the default deny list, allows a remote attacker to perform a variety of attacks including a remote code execution of arbitrary code in the context of the JVM running the XStream application. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

Solution(s)

oracle-linux-upgrade-xstreamoracle-linux-upgrade-xstream-javadoc
Title
NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.