SL4000 - CVE-2020-26259, Deserialization Vulnerability That Attackers Can Send Serialized Data to the Target Server
(Doc ID 2760991.1)
Last updated on AUGUST 02, 2022
Applies to:
StorageTek SL4000 Modular Library System - Version All Versions and laterInformation in this document applies to any platform.
Symptoms
XStream has a deserialization vulnerability that attackers can send serialized data to the target server by serializing a materialized object, and any file deletion vulnerability can be caused in the background when deserializing serialized data. Services running XStream construct specific XML/JSON requests when processing deserialized data, which can cause service-side requests to be forged (CVE-2020-26258).
【Vulnerability Number】
CVE-2020-26259
CVE-2020-26258
【Affected Versions】
XStream <= 1.4.14
【Unaffected Version】
XStream 1.4.15
Changes
Cause
To view full details, sign in with your My Oracle Support account. |
|
Don't have a My Oracle Support account? Click to get started! |
In this Document
Symptoms |
Changes |
Cause |
Solution |