A: Only software vendors are affected who have installed a CodeMeter SDK version prior to 7.20a or an AxProtector Developer Package version prior to 10.70a. Users of protected applications are not affected.
Q: Are applications affected that have been encrypted with AxProtector Java?
A: No, protected applications are not affected.
Q: How critical is the situation in practice?
A: The vulnerabilities in the XStream library cannot be exploited via AxProtector Java, because we have followed the XStream's recommendations for a secure implementation, namely the use of a whitelist for XML classes in AxProtector Java. By combining other vulnerabilities that may exist on the system, an attacker could exploit the vulnerabilities in the XStream library bundled into AxProtector Java. According to our processes regarding secure software we have updated the XStream version in AxProtector Java 10.70 to 1.4.14 in which the vulnerability CVE-2020-26217 is already fixed. Since the other two vulnerabilities (CVE-2020-26258 and CVE-2020-26259) were not released until 2020-12-15, the next AxProtector version 10.70a will include the fixed XStream version 1.4.15.
Q: When will the updated AxProtector Java versions be available?