ID CVE-2016-5003
Summary The Apache XML-RPC (aka ws-xmlrpc) library 3.1.3, as used in Apache Archiva, allows remote attackers to execute arbitrary code via a crafted serialized Java object in an <ex:serializable> element.
References
Vulnerable Configurations
  • cpe:2.3:a:apache:ws-xmlrpc:3.1.3
    cpe:2.3:a:apache:ws-xmlrpc:3.1.3
CVSS
Base: 7.5
Impact:
Exploitability:
CWE CWE-502
CAPEC
nessus via4
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2018-6E6F1003D6.NASL
    description Security fix for CVE-2016-5003, CVE-2016-5002 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-09-05
    plugin id 110301
    published 2018-06-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=110301
    title Fedora 27 : 1:xmlrpc (2018-6e6f1003d6)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2018-1780.NASL
    description An update for xmlrpc is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Apache XML-RPC is a Java implementation of XML-RPC, a popular protocol that uses XML over HTTP to implement remote procedure calls. Security Fix(es) : * xmlrpc: Deserialization of untrusted Java object through tag (CVE-2016-5003) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 110281
    published 2018-06-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=110281
    title RHEL 7 : xmlrpc (RHSA-2018:1780)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2018-2317.NASL
    description An update for xmlrpc is now available for Red Hat Virtualization 4 for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. XML-RPC is a way to make remote procedure calls over the Internet. It converts procedure calls into XML documents, sends them to a remote server using the HTTP protocol, and gets back the response as XML. The following packages have been upgraded to a later upstream version: xmlrpc (3.1.3). (BZ#1594618) Security Fix(es) : * xmlrpc: Deserialization of untrusted Java object through tag (CVE-2016-5003) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 111514
    published 2018-08-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=111514
    title RHEL 7 : Virtualization (RHSA-2018:2317)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2018-4AC4229AA8.NASL
    description Security fix for CVE-2016-5003, CVE-2016-5002 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2019-01-03
    plugin id 120400
    published 2019-01-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=120400
    title Fedora 28 : 1:xmlrpc (2018-4ac4229aa8)
  • NASL family Amazon Linux Local Security Checks
    NASL id AL2_ALAS-2018-1041.NASL
    description A flaw was discovered in the Apache XML-RPC (ws-xmlrpc) library that deserializes untrusted data when enabledForExtensions setting is enabled. A remote attacker could use this vulnerability to execute arbitrary code via a crafted serialized Java object in a ex:serializable element.(CVE-2016-5003)
    last seen 2019-02-21
    modified 2018-08-31
    plugin id 110780
    published 2018-06-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=110780
    title Amazon Linux 2 : xmlrpc (ALAS-2018-1041)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2018-1779.NASL
    description From Red Hat Security Advisory 2018:1779 : An update for xmlrpc3 is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Apache XML-RPC is a Java implementation of XML-RPC, a popular protocol that uses XML over HTTP to implement remote procedure calls. Security Fix(es) : * xmlrpc: Deserialization of untrusted Java object through tag (CVE-2016-5003) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
    last seen 2019-02-21
    modified 2018-09-05
    plugin id 110277
    published 2018-06-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=110277
    title Oracle Linux 6 : xmlrpc3 (ELSA-2018-1779)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20180531_XMLRPC_ON_SL7_X.NASL
    description Security Fix(es) : - xmlrpc: Deserialization of untrusted Java object through tag (CVE-2016-5003)
    last seen 2019-02-21
    modified 2018-12-27
    plugin id 110307
    published 2018-06-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=110307
    title Scientific Linux Security Update : xmlrpc on SL7.x (noarch)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2018-1780.NASL
    description From Red Hat Security Advisory 2018:1780 : An update for xmlrpc is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Apache XML-RPC is a Java implementation of XML-RPC, a popular protocol that uses XML over HTTP to implement remote procedure calls. Security Fix(es) : * xmlrpc: Deserialization of untrusted Java object through tag (CVE-2016-5003) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
    last seen 2019-02-21
    modified 2018-09-05
    plugin id 110278
    published 2018-06-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=110278
    title Oracle Linux 7 : xmlrpc (ELSA-2018-1780)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2018-1780.NASL
    description An update for xmlrpc is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Apache XML-RPC is a Java implementation of XML-RPC, a popular protocol that uses XML over HTTP to implement remote procedure calls. Security Fix(es) : * xmlrpc: Deserialization of untrusted Java object through tag (CVE-2016-5003) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 110298
    published 2018-06-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=110298
    title CentOS 7 : xmlrpc (CESA-2018:1780)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2018-1779.NASL
    description An update for xmlrpc3 is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Apache XML-RPC is a Java implementation of XML-RPC, a popular protocol that uses XML over HTTP to implement remote procedure calls. Security Fix(es) : * xmlrpc: Deserialization of untrusted Java object through tag (CVE-2016-5003) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 110280
    published 2018-06-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=110280
    title RHEL 6 : xmlrpc3 (RHSA-2018:1779)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2018-1779.NASL
    description An update for xmlrpc3 is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Apache XML-RPC is a Java implementation of XML-RPC, a popular protocol that uses XML over HTTP to implement remote procedure calls. Security Fix(es) : * xmlrpc: Deserialization of untrusted Java object through tag (CVE-2016-5003) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 110297
    published 2018-06-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=110297
    title CentOS 6 : xmlrpc3 (CESA-2018:1779)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20180531_XMLRPC3_ON_SL6_X.NASL
    description Security Fix(es) : - xmlrpc: Deserialization of untrusted Java object through tag (CVE-2016-5003)
    last seen 2019-02-21
    modified 2018-12-27
    plugin id 110283
    published 2018-06-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=110283
    title Scientific Linux Security Update : xmlrpc3 on SL6.x (noarch)
redhat via4
advisories
  • bugzilla
    id 1508123
    title tag
    oval
    AND
    • OR
      • comment Red Hat Enterprise Linux 6 Client is installed
        oval oval:com.redhat.rhsa:tst:20100842001
      • comment Red Hat Enterprise Linux 6 Server is installed
        oval oval:com.redhat.rhsa:tst:20100842002
      • comment Red Hat Enterprise Linux 6 Workstation is installed
        oval oval:com.redhat.rhsa:tst:20100842003
      • comment Red Hat Enterprise Linux 6 ComputeNode is installed
        oval oval:com.redhat.rhsa:tst:20100842004
    • OR
      • AND
        • comment xmlrpc3-client is earlier than 0:3.0-4.17.el6_9
          oval oval:com.redhat.rhsa:tst:20181779007
        • comment xmlrpc3-client is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20181779008
      • AND
        • comment xmlrpc3-client-devel is earlier than 0:3.0-4.17.el6_9
          oval oval:com.redhat.rhsa:tst:20181779009
        • comment xmlrpc3-client-devel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20181779010
      • AND
        • comment xmlrpc3-common is earlier than 0:3.0-4.17.el6_9
          oval oval:com.redhat.rhsa:tst:20181779005
        • comment xmlrpc3-common is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20181779006
      • AND
        • comment xmlrpc3-common-devel is earlier than 0:3.0-4.17.el6_9
          oval oval:com.redhat.rhsa:tst:20181779011
        • comment xmlrpc3-common-devel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20181779012
      • AND
        • comment xmlrpc3-javadoc is earlier than 0:3.0-4.17.el6_9
          oval oval:com.redhat.rhsa:tst:20181779017
        • comment xmlrpc3-javadoc is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20181779018
      • AND
        • comment xmlrpc3-server is earlier than 0:3.0-4.17.el6_9
          oval oval:com.redhat.rhsa:tst:20181779013
        • comment xmlrpc3-server is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20181779014
      • AND
        • comment xmlrpc3-server-devel is earlier than 0:3.0-4.17.el6_9
          oval oval:com.redhat.rhsa:tst:20181779015
        • comment xmlrpc3-server-devel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20181779016
    rhsa
    id RHSA-2018:1779
    released 2018-05-31
    severity Important
    title RHSA-2018:1779: xmlrpc3 security update (Important)
  • bugzilla
    id 1508123
    title tag
    oval
    AND
    • OR
      • comment Red Hat Enterprise Linux 7 Client is installed
        oval oval:com.redhat.rhsa:tst:20140675001
      • comment Red Hat Enterprise Linux 7 Server is installed
        oval oval:com.redhat.rhsa:tst:20140675002
      • comment Red Hat Enterprise Linux 7 Workstation is installed
        oval oval:com.redhat.rhsa:tst:20140675003
      • comment Red Hat Enterprise Linux 7 ComputeNode is installed
        oval oval:com.redhat.rhsa:tst:20140675004
    • OR
      • AND
        • comment xmlrpc-client is earlier than 1:3.1.3-9.el7_5
          oval oval:com.redhat.rhsa:tst:20181780005
        • comment xmlrpc-client is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20181780006
      • AND
        • comment xmlrpc-common is earlier than 1:3.1.3-9.el7_5
          oval oval:com.redhat.rhsa:tst:20181780011
        • comment xmlrpc-common is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20181780012
      • AND
        • comment xmlrpc-javadoc is earlier than 1:3.1.3-9.el7_5
          oval oval:com.redhat.rhsa:tst:20181780007
        • comment xmlrpc-javadoc is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20181780008
      • AND
        • comment xmlrpc-server is earlier than 1:3.1.3-9.el7_5
          oval oval:com.redhat.rhsa:tst:20181780009
        • comment xmlrpc-server is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20181780010
    rhsa
    id RHSA-2018:1780
    released 2018-05-31
    severity Important
    title RHSA-2018:1780: xmlrpc security update (Important)
  • rhsa
    id RHSA-2018:1784
  • rhsa
    id RHSA-2018:2317
  • rhsa
    id RHSA-2018:3768
rpms
  • xmlrpc3-client-0:3.0-4.17.el6_9
  • xmlrpc3-client-devel-0:3.0-4.17.el6_9
  • xmlrpc3-common-0:3.0-4.17.el6_9
  • xmlrpc3-common-devel-0:3.0-4.17.el6_9
  • xmlrpc3-javadoc-0:3.0-4.17.el6_9
  • xmlrpc3-server-0:3.0-4.17.el6_9
  • xmlrpc3-server-devel-0:3.0-4.17.el6_9
  • xmlrpc-client-1:3.1.3-9.el7_5
  • xmlrpc-common-1:3.1.3-9.el7_5
  • xmlrpc-javadoc-1:3.1.3-9.el7_5
  • xmlrpc-server-1:3.1.3-9.el7_5
refmap via4
bid
  • 91736
  • 91738
misc https://0ang3el.blogspot.ru/2016/07/beware-of-ws-xmlrpc-library-in-your.html
mlist [oss-security] 20160712 Vulnerabilities in Apache Archiva
sectrack 1036294
xf apache-archiva-cve20165003-code-exec(115043)
Last major update 27-10-2017 - 14:29
Published 27-10-2017 - 14:29
Last modified 05-12-2018 - 06:29
Back to Top