ID CVE-2016-5003
Summary The Apache XML-RPC (aka ws-xmlrpc) library 3.1.3, as used in Apache Archiva, allows remote attackers to execute arbitrary code via a crafted serialized Java object in an <ex:serializable> element.
References
Vulnerable Configurations
  • cpe:2.3:a:apache:ws-xmlrpc:3.1.3:*:*:*:*:*:*:*
    cpe:2.3:a:apache:ws-xmlrpc:3.1.3:*:*:*:*:*:*:*
CVSS
Base: 7.5 (as of 05-12-2018 - 11:29)
Impact:
Exploitability:
CWE CWE-502
CAPEC
  • Object Injection
    An adversary attempts to exploit an application by injecting additional, malicious content during its processing of serialized objects. Developers leverage serialization in order to convert data or state into a static, binary format for saving to disk or transferring over a network. These objects are then deserialized when needed to recover the data/state. By injecting a malformed object into a vulnerable application, an adversary can potentially compromise the application by manipulating the deserialization process. This can result in a number of unwanted outcomes, including remote code execution.
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
cvss-vector via4 AV:N/AC:L/Au:N/C:P/I:P/A:P
redhat via4
advisories
  • bugzilla
    id 1508123
    title tag
    oval
    OR
    • comment Red Hat Enterprise Linux must be installed
      oval oval:com.redhat.rhba:tst:20070304026
    • AND
      • comment Red Hat Enterprise Linux 6 is installed
        oval oval:com.redhat.rhba:tst:20111656003
      • OR
        • AND
          • comment xmlrpc3-client is earlier than 0:3.0-4.17.el6_9
            oval oval:com.redhat.rhsa:tst:20181779001
          • comment xmlrpc3-client is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20181779002
        • AND
          • comment xmlrpc3-client-devel is earlier than 0:3.0-4.17.el6_9
            oval oval:com.redhat.rhsa:tst:20181779003
          • comment xmlrpc3-client-devel is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20181779004
        • AND
          • comment xmlrpc3-common is earlier than 0:3.0-4.17.el6_9
            oval oval:com.redhat.rhsa:tst:20181779005
          • comment xmlrpc3-common is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20181779006
        • AND
          • comment xmlrpc3-common-devel is earlier than 0:3.0-4.17.el6_9
            oval oval:com.redhat.rhsa:tst:20181779007
          • comment xmlrpc3-common-devel is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20181779008
        • AND
          • comment xmlrpc3-javadoc is earlier than 0:3.0-4.17.el6_9
            oval oval:com.redhat.rhsa:tst:20181779009
          • comment xmlrpc3-javadoc is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20181779010
        • AND
          • comment xmlrpc3-server is earlier than 0:3.0-4.17.el6_9
            oval oval:com.redhat.rhsa:tst:20181779011
          • comment xmlrpc3-server is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20181779012
        • AND
          • comment xmlrpc3-server-devel is earlier than 0:3.0-4.17.el6_9
            oval oval:com.redhat.rhsa:tst:20181779013
          • comment xmlrpc3-server-devel is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20181779014
    rhsa
    id RHSA-2018:1779
    released 2018-05-31
    severity Important
    title RHSA-2018:1779: xmlrpc3 security update (Important)
  • bugzilla
    id 1508123
    title tag
    oval
    OR
    • comment Red Hat Enterprise Linux must be installed
      oval oval:com.redhat.rhba:tst:20070304026
    • AND
      • comment Red Hat Enterprise Linux 7 is installed
        oval oval:com.redhat.rhba:tst:20150364027
      • OR
        • AND
          • comment xmlrpc-client is earlier than 1:3.1.3-9.el7_5
            oval oval:com.redhat.rhsa:tst:20181780001
          • comment xmlrpc-client is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20181780002
        • AND
          • comment xmlrpc-common is earlier than 1:3.1.3-9.el7_5
            oval oval:com.redhat.rhsa:tst:20181780003
          • comment xmlrpc-common is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20181780004
        • AND
          • comment xmlrpc-javadoc is earlier than 1:3.1.3-9.el7_5
            oval oval:com.redhat.rhsa:tst:20181780005
          • comment xmlrpc-javadoc is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20181780006
        • AND
          • comment xmlrpc-server is earlier than 1:3.1.3-9.el7_5
            oval oval:com.redhat.rhsa:tst:20181780007
          • comment xmlrpc-server is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20181780008
    rhsa
    id RHSA-2018:1780
    released 2018-05-31
    severity Important
    title RHSA-2018:1780: xmlrpc security update (Important)
  • rhsa
    id RHSA-2018:1784
  • rhsa
    id RHSA-2018:2317
  • rhsa
    id RHSA-2018:3768
rpms
  • xmlrpc3-client-0:3.0-4.17.el6_9
  • xmlrpc3-client-devel-0:3.0-4.17.el6_9
  • xmlrpc3-common-0:3.0-4.17.el6_9
  • xmlrpc3-common-devel-0:3.0-4.17.el6_9
  • xmlrpc3-javadoc-0:3.0-4.17.el6_9
  • xmlrpc3-server-0:3.0-4.17.el6_9
  • xmlrpc3-server-devel-0:3.0-4.17.el6_9
  • xmlrpc-client-1:3.1.3-9.el7_5
  • xmlrpc-common-1:3.1.3-9.el7_5
  • xmlrpc-javadoc-1:3.1.3-9.el7_5
  • xmlrpc-server-1:3.1.3-9.el7_5
  • rh-java-common-xmlrpc-client-1:3.1.3-8.16.el6
  • rh-java-common-xmlrpc-client-1:3.1.3-8.16.el7
  • rh-java-common-xmlrpc-common-1:3.1.3-8.16.el6
  • rh-java-common-xmlrpc-common-1:3.1.3-8.16.el7
  • rh-java-common-xmlrpc-javadoc-1:3.1.3-8.16.el6
  • rh-java-common-xmlrpc-javadoc-1:3.1.3-8.16.el7
  • rh-java-common-xmlrpc-server-1:3.1.3-8.16.el6
  • rh-java-common-xmlrpc-server-1:3.1.3-8.16.el7
  • xmlrpc-client-1:3.1.3-9.el7_5
  • xmlrpc-common-1:3.1.3-9.el7_5
  • xmlrpc-javadoc-1:3.1.3-9.el7_5
  • xmlrpc-server-1:3.1.3-9.el7_5
refmap via4
bid
  • 91736
  • 91738
misc https://0ang3el.blogspot.ru/2016/07/beware-of-ws-xmlrpc-library-in-your.html
mlist
  • [oss-security] 20160712 Vulnerabilities in Apache Archiva
  • [oss-security] 20200116 [CVE-2019-17570] xmlrpc-common untrusted deserialization
  • [oss-security] 20200124 RE: [CVE-2019-17570] xmlrpc-common untrusted deserialization
sectrack 1036294
xf apache-archiva-cve20165003-code-exec(115043)
Last major update 05-12-2018 - 11:29
Published 27-10-2017 - 18:29
Last modified 05-12-2018 - 11:29
Back to Top