Описание
The Apache XML-RPC (aka ws-xmlrpc) library 3.1.3, as used in Apache Archiva, allows remote attackers to execute arbitrary code via a crafted serialized Java object in an ex:serializable element.
A flaw was discovered in the Apache XML-RPC (ws-xmlrpc) library that deserializes untrusted data when enabledForExtensions setting is enabled. A remote attacker could use this vulnerability to execute arbitrary code via a crafted serialized Java object in a ex:serializable element.
Меры по смягчению последствий
Setting enabledForExtensions is false by default, thus ex:serializable elements are not automatically deserialized. However, if you have it enabled and you don't need any of the provided functions (https://ws.apache.org/xmlrpc/extensions.html) we suggest you disable it.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| JBoss Developer Studio 10 | xmlrpc | Not affected | ||
| JBoss Developer Studio 8 | xmlrpc | Not affected | ||
| Red Hat Enterprise Linux 5 | xmlrpc | Will not fix | ||
| Red Hat Fuse 7 | camel | Affected | ||
| Red Hat JBoss Fuse 6 | camel | Affected | ||
| Red Hat JBoss Fuse Integration Service 2 | xmlrpc-common | Affected | ||
| Red Hat Storage 3 | xmlrpc-common | Will not fix | ||
| Red Hat Enterprise Linux 6 | xmlrpc3 | Fixed | RHSA-2018:1779 | 31.05.2018 |
| Red Hat Enterprise Linux 7 | xmlrpc | Fixed | RHSA-2018:1780 | 31.05.2018 |
| Red Hat Fuse 7.2 | camel | Fixed | RHSA-2018:3768 | 04.12.2018 |
Показывать по
Дополнительная информация
Статус:
EPSS
7.5 High
CVSS3
Связанные уязвимости
The Apache XML-RPC (aka ws-xmlrpc) library 3.1.3, as used in Apache Archiva, allows remote attackers to execute arbitrary code via a crafted serialized Java object in an <ex:serializable> element.
Apache XML-RPC vulnerable to Deserialization of Untrusted Data
Уязвимость библиотеки Apache XML-RPC (ws-xmlrpc), связанная с восстановлением данных из внешнего источника без достаточной верификации, позволяющая нарушителю выполнить произвольный код
EPSS
7.5 High
CVSS3