My Oracle Support Banner

SL4000 - CVE-2020-26259, Deserialization Vulnerability That Attackers Can Send Serialized Data to the Target Server (Doc ID 2760991.1)

Last updated on MARCH 16, 2021

Applies to:

StorageTek SL4000 Modular Library System - Version All Versions and later
Information in this document applies to any platform.

Symptoms

XStream has a deserialization vulnerability that attackers can send serialized data to the target server by serializing a materialized object, and any file deletion vulnerability can be caused in the background when deserializing serialized data. Services running XStream construct specific XML/JSON requests when processing deserialized data, which can cause service-side requests to be forged (CVE-2020-26258).

【Vulnerability Number】
CVE-2020-26259
CVE-2020-26258

【Affected Versions】
XStream <= 1.4.14

【Unaffected Version】
XStream 1.4.15

Changes

 

Cause

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!


In this Document
Symptoms
Changes
Cause
Solution

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.