Deserialization of Untrusted Data (XStream)
Description
This vulnerability occurs when an application uses the XStream library to deserialize untrusted XML data without proper security controls. XStream is a Java library that converts objects to XML and vice versa. When deserializing user-supplied data, attackers can craft malicious XML payloads that exploit known XStream vulnerabilities to execute arbitrary code, perform server-side request forgery (SSRF), or compromise application security. The detected vulnerability affects applications using outdated XStream versions susceptible to CVE-2013-7285, CVE-2020-26258, and CVE-2020-26217.
Remediation
To remediate this vulnerability, implement the following security measures:
1. Upgrade XStream Library:
Update to XStream version 1.4.18 or later, which includes security fixes for known deserialization vulnerabilities.
2. Enable XStream Security Framework:
Configure XStream's security framework to whitelist only trusted types. Example:
XStream xstream = new XStream();
XStream.setupDefaultSecurity(xstream);
// Whitelist specific classes that need to be deserialized
xstream.allowTypes(new Class[] { YourTrustedClass.class });
// Or use wildcard patterns for packages
xstream.allowTypesByWildcard(new String[] { "com.yourcompany.trusted.**" });3. Avoid Deserializing Untrusted Data:
If possible, avoid deserializing user-supplied XML entirely. Consider using safer data formats like JSON with strict schema validation.
4. Input Validation:
Implement strict validation of all XML input before deserialization, rejecting any unexpected or suspicious content.
5. Apply Principle of Least Privilege:
Run the application with minimal necessary permissions to limit the impact of potential exploitation.