FAQ – Security Advisory 201218
FAQ last updated: 2021-01-28
Frequently Asked Questions (Q&A)
Q: Who is affected?
A: Only software vendors are affected who have installed a CodeMeter SDK version prior to 7.20a or an AxProtector Developer Package version prior to 10.70a. Users of protected applications are not affected.
Q: Are applications affected that have been encrypted with AxProtector Java?
A: No, protected applications are not affected.
Q: How critical is the situation in practice?
A: The vulnerabilities in the XStream library cannot be exploited via AxProtector Java, because we have followed the XStream's recommendations for a secure implementation, namely the use of a whitelist for XML classes in AxProtector Java.
By combining other vulnerabilities that may exist on the system, an attacker could exploit the vulnerabilities in the XStream library bundled into AxProtector Java.
According to our processes regarding secure software we have updated the XStream version in AxProtector Java 10.70 to 1.4.14 in which the vulnerability CVE-2020-26217 is already fixed.
Since the other two vulnerabilities (CVE-2020-26258 and CVE-2020-26259) were not released until 2020-12-15, the next AxProtector version 10.70a will include the fixed XStream version 1.4.15.
Q: When will the updated AxProtector Java versions be available?
A: AxProtector Java 10.70 is available for download at https://www.wibu.com/support/developer/downloads-developer-software.html. For Windows and macOS this version is included in CodeMeter Development Kit 7.20. AxProtector Java version 10.70a / CodeMeter Development Kit 7.20a will be available in first quarter of 2021 at the same location.
Q: Do the vulnerabilities allow people to circumvent the licenses and software protection?
A: No, these vulnerabilities have no impact on the licensing or protection of applications.