REDHAT-BUG-1775193
First published: Thu Nov 21 2019(Updated: )
Guillaume Teissier reported a flaw in Apache XMLRPC: Java untrusted deserialization in faultCause when processing an XMLRPC response. XMLRPC clients are thus targeted by this vulnerability, and rogue XMLRPC servers may gain arbitrary code execution on the XMLRPC client. The vulnerability lays in the org.apache.xmlrpc.parser.XmlRpcResponseParser:addResult(Object) method. This vulnerability is different from <a href="https://access.redhat.com/security/cve/CVE-2016-5003">CVE-2016-5003</a>, which uses ex:serializable type to perform deserialization. This new vulnerability only affects XMLRPC clients, which will receive response, possible faults. It is exploitable in default configuration.
| Affected Software | Affected Version | How to fix |
|---|---|---|
| PHP XML-RPC |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://access.redhat.com/security/cve/CVE-2016-5003
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1775192
- http://svn.apache.org/viewvc?view=revision&revision=442177
- https://ws.apache.org/xmlrpc/server.html
- https://ws.apache.org/xmlrpc/client.html
- https://ws.apache.org/xmlrpc/apidocs/org/apache/xmlrpc/common/XmlRpcHttpRequestConfigImpl.html#setEnabledForExceptions%28boolean%29
- https://ws.apache.org/xmlrpc/apidocs/org/apache/xmlrpc/server/XmlRpcServerConfigImpl.html#setEnabledForExceptions%28boolean%29
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=1644752&action=diff
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=1644752&action=edit
- https://access.redhat.com/security/cve/CVE-2019-17570
- https://access.redhat.com/documentation/en-us/red_hat_gluster_storage/3.5/html-single/3.5_release_notes/index#support-limits-and-removals
- https://seclists.org/oss-sec/2020/q1/10
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1791766
- https://access.redhat.com/errata/RHSA-2020:0310
- https://access.redhat.com/security/cve/cve-2019-17570
- https://access.redhat.com/errata/RHSA-2020:0983
- https://bugzilla.redhat.com/show_bug.cgi?id=1775193
Frequently Asked Questions
What is the severity of REDHAT-BUG-1775193?
The severity of REDHAT-BUG-1775193 is critical due to the potential for arbitrary code execution.
How do I fix REDHAT-BUG-1775193?
To fix REDHAT-BUG-1775193, update to the latest patched version of Apache XML-RPC that addresses this vulnerability.
Which software is affected by REDHAT-BUG-1775193?
Apache XML-RPC is the software affected by REDHAT-BUG-1775193.
What type of vulnerability is REDHAT-BUG-1775193?
REDHAT-BUG-1775193 is an untrusted deserialization vulnerability in Apache XML-RPC.
Who reported the vulnerability REDHAT-BUG-1775193?
The vulnerability REDHAT-BUG-1775193 was reported by Guillaume Teissier.
- agent/type
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2019-17570
- agent/last-modified-date
- agent/first-publish-date
- agent/severity
- agent/references
- agent/description
- agent/event
- agent/source
- agent/softwarecombine
- agent/tags
- agent/guess-ai
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/apache
- canonical/php xml-rpc