========================================================================= Ubuntu Security Notice USN-4714-1 January 28, 2021 libxstream-java vulnerabilities ========================================================================= A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS Summary: Several security issues were fixed in libxstream-java. Software Description: - libxstream-java: Java library to serialize objects to XML and back again Details: Zhihong Tian and Hui Lu found that XStream was vulnerable to remote code execution. A remote attacker could run arbitrary shell commands by manipulating the processed input stream. (CVE-2020-26217) It was discovered that XStream was vulnerable to server-side forgery attacks. A remote attacker could request data from internal resources that are not publicly available only by manipulating the processed input stream. (CVE-2020-26258) It was discovered that XStream was vulnerable to arbitrary file deletion on the local host. A remote attacker could use this to delete arbitrary known files on the host as long as the executing process had sufficient rights only by manipulating the processed input stream. (CVE-2020-26259) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 20.04 LTS: libxstream-java 1.4.11.1-1ubuntu0.1 Ubuntu 18.04 LTS: libxstream-java 1.4.11.1-1~18.04.1 In general, a standard system update will make all the necessary changes. References: https://usn.ubuntu.com/4714-1 CVE-2020-26217, CVE-2020-26258, CVE-2020-26259 Package Information: https://launchpad.net/ubuntu/+source/libxstream-java/1.4.11.1-1ubuntu0.1 https://launchpad.net/ubuntu/+source/libxstream-java/1.4.11.1-1~18.04.1