Описание
An untrusted deserialization was found in the org.apache.xmlrpc.parser.XmlRpcResponseParser:addResult method of Apache XML-RPC (aka ws-xmlrpc) library. A malicious XML-RPC server could target a XML-RPC client causing it to execute arbitrary code. Apache XML-RPC is no longer maintained and this issue will not be fixed.
A flaw was discovered where the XMLRPC client implementation in Apache XMLRPC, performed deserialization of the server-side exception serialized in the faultCause attribute of XMLRPC error response messages. A malicious or compromised XMLRPC server could possibly use this flaw to execute arbitrary code with the privileges of an application using the Apache XMLRPC client library.
Отчет
Red Hat Enterprise Linux 7 provides vulnerable version of xmlrpc via the Optional repository. As the Optional repository is not supported, this issue is not planned to be addressed there. Red Hat Virtualization Manager uses xmlrpc only for internal communication with the scheduler. Since this is a component of the Manager itself, it is not subject to attacker influence and does not represent an attack surface.
Меры по смягчению последствий
There is no known mitigation other than restricting applications using the Apache XMLRPC client library from sending requests to untrusted XMLRPC servers.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 5 | xmlrpc | Not affected | ||
| Red Hat Enterprise Linux 6 | xmlrpc3 | Not affected | ||
| Red Hat Enterprise Linux 7 | xmlrpc | Will not fix | ||
| Red Hat Fuse 7 | camel-xmlrpc | Not affected | ||
| Red Hat JBoss Fuse 6 | camel-xmlrpc | Affected | ||
| Red Hat Storage 3 | xmprpc-common | Out of support scope | ||
| Red Hat Virtualization 4 | xmlrpc-common | Will not fix | ||
| Red Hat Fuse 7.6.0 | camel-xmlrpc | Fixed | RHSA-2020:0983 | 26.03.2020 |
| Red Hat Software Collections for Red Hat Enterprise Linux 6 | rh-java-common-xmlrpc | Fixed | RHSA-2020:0310 | 30.01.2020 |
| Red Hat Software Collections for Red Hat Enterprise Linux 7 | rh-java-common-xmlrpc | Fixed | RHSA-2020:0310 | 30.01.2020 |
Показывать по
Дополнительная информация
Статус:
EPSS
9.8 Critical
CVSS3
Связанные уязвимости
An untrusted deserialization was found in the org.apache.xmlrpc.parser.XmlRpcResponseParser:addResult method of Apache XML-RPC (aka ws-xmlrpc) library. A malicious XML-RPC server could target a XML-RPC client causing it to execute arbitrary code. Apache XML-RPC is no longer maintained and this issue will not be fixed.
An untrusted deserialization was found in the org.apache.xmlrpc.parser.XmlRpcResponseParser:addResult method of Apache XML-RPC (aka ws-xmlrpc) library. A malicious XML-RPC server could target a XML-RPC client causing it to execute arbitrary code. Apache XML-RPC is no longer maintained and this issue will not be fixed.
An untrusted deserialization was found in the org.apache.xmlrpc.parser ...
Уязвимость метода org.apache.xmlrpc.parser.XmlRpcResponseParser:addResult библиотеки Apache XML-RPC, связанная с восстановлением в памяти недостоверных данных, позволяющая нарушителю получить доступ к конфиденциальным данным, нарушить их целостность, а также вызвать отказ в обслуживании
EPSS
9.8 Critical
CVSS3