It was discovered that the default blacklist of XStream, a Java library to serialise objects to XML and back again, was vulnerable to the execution of arbitrary shell commands by manipulating the processed input stream.

For additional defense-in-depth it is recommended to switch to the whitelist approach of XStream's security framework. For additional information please refer to https://github.com/x-stream/xstream/security/advisories/GHSA-mw36-7c6c
-q4q2

The remote Scientific Linux 7 host has packages installed that are affected by a vulnerability as referenced in the SLSA-2021:0162-1 advisory.

  - XStream: remote code execution due to insecure XML deserialization when relying on blocklists     (CVE-2020-26217)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of xstream installed on the remote host is prior to 1.3.1-12. It is, therefore, affected by a vulnerability as referenced in the ALAS2-2021-1593 advisory.

  - XStream before version 1.4.14 is vulnerable to Remote Code Execution.The vulnerability may allow a remote     attacker to run arbitrary shell commands only by manipulating the processed input stream. Only users who     rely on blocklists are affected. Anyone using XStream's Security Framework allowlist is not affected. The     linked advisory provides code workarounds for users who cannot upgrade. The issue is fixed in version     1.4.14. (CVE-2020-26217)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Ubuntu 14.04 LTS / 16.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-6978-1 advisory.

    It was discovered that XStream incorrectly handled parsing of certain crafted XML documents. A remote     attacker could possibly use this issue to read arbitrary files. (CVE-2016-3674)

    Zhihong Tian and Hui Lu found that XStream was vulnerable to remote code execution. A remote attacker     could run arbitrary shell commands by manipulating the processed input stream. (CVE-2020-26217)

    It was discovered that XStream was vulnerable to server-side forgery attacks. A remote attacker could     request data from internal resources that are not publicly available only by manipulating the processed     input stream. (CVE-2020-26258)

    It was discovered that XStream was vulnerable to arbitrary file deletion on the local host. A remote     attacker could use this to delete arbitrary known files on the host as long as the executing process had     sufficient rights only by manipulating the processed input stream. (CVE-2020-26259)

    It was discovered that XStream was vulnerable to denial of service, arbitrary code execution, arbitrary     file deletion and server-side forgery attacks. A remote attacker could cause any of those issues by     manipulating the processed input stream. (CVE-2021-21341, CVE-2021-21342, CVE-2021-21343, CVE-2021-21344,     CVE-2021-21345, CVE-2021-21346, CVE-2021-21347, CVE-2021-21348, CVE-2021-21349, CVE-2021-21350,     CVE-2021-21351)

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Ubuntu 18.04 LTS / 20.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-4943-1 advisory.

    Zhihong Tian and Hui Lu found that XStream was vulnerable to remote code execution. A remote attacker     could run arbitrary shell commands by manipulating the processed input stream. This issue affected only     affected Ubuntu 20.10. (CVE-2020-26217)

    It was discovered that XStream was vulnerable to server-side forgery attacks. A remote attacker could     request data from internal resources that are not publicly available only by manipulating the processed     input stream. This issue only affected Ubuntu 20.10. (CVE-2020-26258)

    It was discovered that XStream was vulnerable to arbitrary file deletion on the local host. A remote     attacker could use this to delete arbitrary known files on the host as long as the executing process had     sufficient rights only by manipulating the processed input stream. This issue only affected Ubuntu 20.10.
    (CVE-2020-26259)

    It was discovered that XStream was vulnerable to denial of service, arbitrary code execution, arbitrary     file deletion and server-side forgery attacks. A remote attacker could cause any of those issues by     manipulating the processed input stream. (CVE-2021-21341, CVE-2021-21342, CVE-2021-21343 CVE-2021-21344,     CVE-2021-21345, CVE-2021-21346, CVE-2021-21347, CVE-2021-21348, CVE-2021-21349, CVE-2021-21350,     CVE-2021-21351)

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has xstream packages installed that are affected by a vulnerability:

  - XStream before version 1.4.14 is vulnerable to Remote Code Execution.The vulnerability may allow a remote     attacker to run arbitrary shell commands only by manipulating the processed input stream. Only users who     rely on blocklists are affected. Anyone using XStream's Security Framework allowlist is not affected. The     linked advisory provides code workarounds for users who cannot upgrade. The issue is fixed in version     1.4.14. (CVE-2020-26217)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote CentOS Linux 7 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2021:0162 advisory.

  - XStream before version 1.4.14 is vulnerable to Remote Code Execution.The vulnerability may allow a remote     attacker to run arbitrary shell commands only by manipulating the processed input stream. Only users who     rely on blocklists are affected. Anyone using XStream's Security Framework allowlist is not affected. The     linked advisory provides code workarounds for users who cannot upgrade. The issue is fixed in version     1.4.14. (CVE-2020-26217)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Ubuntu 18.04 LTS / 20.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-4714-1 advisory.

    Zhihong Tian and Hui Lu found that XStream was vulnerable to remote code execution. A remote attacker     could run arbitrary shell commands by manipulating the processed input stream. (CVE-2020-26217)

    It was discovered that XStream was vulnerable to server-side forgery attacks. A remote attacker could     request data from internal resources that are not publicly available only by manipulating the processed     input stream. (CVE-2020-26258)

    It was discovered that XStream was vulnerable to arbitrary file deletion on the local host. A remote     attacker could use this to delete arbitrary known files on the host as long as the executing process had     sufficient rights only by manipulating the processed input stream. (CVE-2020-26259)

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 7 host has packages installed that are affected by a vulnerability as referenced in the ELSA-2021-0162 advisory.

    [1.3.1-12]
    - Rebuild with OpenJDK 7

    [1.3.1-11]
    - Fix remote code execution vulnerability
    - Resolves: CVE-2020-26217

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote NewStart CGSL host, running version CORE 5.05 / MAIN 5.05, has xstream packages installed that are affected by a vulnerability:

  - XStream before version 1.4.14 is vulnerable to Remote Code Execution.The vulnerability may allow a remote     attacker to run arbitrary shell commands only by manipulating the processed input stream. Only users who     rely on blocklists are affected. Anyone using XStream's Security Framework allowlist is not affected. The     linked advisory provides code workarounds for users who cannot upgrade. The issue is fixed in version     1.4.14. (CVE-2020-26217)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

It was found that XStream is vulnerable to Remote Code Execution. The vulnerability may allow a remote attacker to run arbitrary shell commands only by manipulating the processed input stream. Users who rely on blocklists are affected (the default in Debian). We strongly recommend to use the whitelist approach of XStream's Security Framework because there are likely more class combinations the blacklist approach may not address.

For Debian 9 stretch, this problem has been fixed in version 1.4.9-2+deb9u1.

We recommend that you upgrade your libxstream-java packages.

For the detailed security status of libxstream-java please refer to its security tracker page at:
https://security-tracker.debian.org/tracker/libxstream-java

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for xstream fixes the following issues :

xstream was updated to version 1.4.15.

  - CVE-2020-26217: Fixed a remote code execution due to     insecure XML deserialization when relying on blocklists     (bsc#1180994).

  - CVE-2020-26258: Fixed a server-side request forgery     vulnerability (bsc#1180146).

  - CVE-2020-26259: Fixed an arbitrary file deletion     vulnerability (bsc#1180145).

This update was imported from the SUSE:SLE-15-SP2:Update update project.

The remote Redhat Enterprise Linux 7 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2021:0162 advisory.

    XStream is a Java XML serialization library to serialize objects to and deserialize object from XML.

    Security Fix(es):

    * XStream: remote code execution due to insecure XML deserialization when relying on blocklists     (CVE-2020-26217)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Published	Updated	Severity
144311	Debian DSA-4811-1 : libxstream-java - security update	Nessus	Debian Local Security Checks	12/16/2020	2/1/2024	high
145442	Scientific Linux Security Update : xstream on SL7.x (noarch) (2021:0162)	Nessus	Scientific Linux Local Security Checks	1/26/2021	1/26/2024	high
145450	Amazon Linux 2 : xstream (ALAS-2021-1593)	Nessus	Amazon Linux Local Security Checks	1/26/2021	1/26/2024	high
206123	Ubuntu 14.04 LTS / 16.04 LTS : XStream vulnerabilities (USN-6978-1)	Nessus	Ubuntu Local Security Checks	8/22/2024	8/27/2024	critical
149408	Ubuntu 18.04 LTS / 20.04 LTS : XStream vulnerabilities (USN-4943-1)	Nessus	Ubuntu Local Security Checks	5/12/2021	8/27/2024	critical
154605	NewStart CGSL CORE 5.04 / MAIN 5.04 : xstream Vulnerability (NS-SA-2021-0095)	Nessus	NewStart CGSL Local Security Checks	10/28/2021	11/27/2023	high
145441	CentOS 7 : xstream (RHSA-2021:0162)	Nessus	CentOS Local Security Checks	1/26/2021	10/9/2024	high
145542	Ubuntu 18.04 LTS / 20.04 LTS : XStream vulnerabilities (USN-4714-1)	Nessus	Ubuntu Local Security Checks	1/29/2021	8/27/2024	high
145080	Oracle Linux 7 : xstream (ELSA-2021-0162)	Nessus	Oracle Linux Local Security Checks	1/19/2021	11/1/2024	high
154468	NewStart CGSL CORE 5.05 / MAIN 5.05 : xstream Vulnerability (NS-SA-2021-0179)	Nessus	NewStart CGSL Local Security Checks	10/27/2021	11/27/2023	high
143386	Debian DLA-2471-1 : libxstream-java security update	Nessus	Debian Local Security Checks	12/1/2020	2/7/2024	high
145314	openSUSE Security Update : xstream (openSUSE-2021-140)	Nessus	SuSE Local Security Checks	1/25/2021	1/26/2024	high
145067	RHEL 7 : xstream (RHSA-2021:0162)	Nessus	Red Hat Local Security Checks	1/19/2021	11/7/2024	high

Detections

Analytics

Plugins Search

high

high

high

critical

critical

high

high

high

high

high

high

high

high