My Oracle Support Banner

SL150 - CVE-2020-26259, Deserialization Vulnerability That Attackers Can Send Serialized Data to the Target Server (Doc ID 2760993.1)

Last updated on MARCH 16, 2021

Applies to:

StorageTek SL150 Modular Tape Library - Version All Versions and later
Information in this document applies to any platform.

Symptoms

 XStream has a deserialization vulnerability that attackers can send serialized data to the target server by serializing a materialized object, and any file deletion vulnerability can be caused in the background when deserializing serialized data.
Services running XStream construct specific XML/JSON requests when processing deserialized data, which can cause service-side requests to be forged (CVE-2020-26258).

【vulnerability Number】
CVE-2020-26259
CVE-2020-26258

【Affected version】
XStream <= 1.4.14

【Unaffected version】
XStream 1.4.15

Changes

 

Cause

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!


In this Document
Symptoms
Changes
Cause
Solution

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.