Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 713098 (CVE-2016-5002, CVE-2016-5003, CVE-2019-17570)

Summary: dev-java/xmlrpc: Multiple vulnerabilities (CVE-2016-{5002,5003}. CVE-2019-17570)
Product: Gentoo Security Reporter: Sam James <sam>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: ajak, java
Priority: Normal Keywords: PullRequest
Version: unspecified   
Hardware: All   
OS: Linux   
See Also: https://github.com/gentoo/gentoo/pull/21673
Whiteboard: B2 [glsa+ cve]
Package list:
Runtime testing required: ---

Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-03-18 01:12:15 UTC
1) CVE-2016-5002:
Description:
"XML external entity (XXE) vulnerability in the Apache XML-RPC (aka ws-xmlrpc) library 3.1.3, as used in Apache Archiva, allows remote attackers to conduct server-side request forgery (SSRF) attacks via a crafted DTD."

URL: https://bugzilla.redhat.com/show_bug.cgi?id=1508110

2) CVE-2016-5003:
Description:
"The Apache XML-RPC (aka ws-xmlrpc) library 3.1.3, as used in Apache Archiva, allows remote attackers to execute arbitrary code via a crafted serialized Java object in an <ex:serializable> element."

URL: https://bugzilla.redhat.com/show_bug.cgi?id=1508123

---

Fedora: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/5AEMJ2ZNFZVGVMACAZMQQCBOFBVUTNZA/

Patches:
https://src.fedoraproject.org/rpms/xmlrpc/c/2db59ec8a8b4d358802e98ce0151af84d7b93752?branch=master
https://src.fedoraproject.org/rpms/xmlrpc/c/ef4efbf91d241070f6f41950f7536049688a3a67?branch=master

Not clear if this has been fixed upstream at all.
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-09-20 02:48:40 UTC
CVE-2019-17570:

An untrusted deserialization was found in the org.apache.xmlrpc.parser.XmlRpcResponseParser:addResult method of Apache XML-RPC (aka ws-xmlrpc) library. A malicious XML-RPC server could target a XML-RPC client causing it to execute arbitrary code. Apache XML-RPC is no longer maintained and this issue will not be fixed.


Patch from Bugzilla (https://bugzilla.redhat.com/show_bug.cgi?id=1775193): https://bugzilla.redhat.com/attachment.cgi?id=1644752&action=diff

This seems to indicate xmlrpc is no longer maintained: https://www.openwall.com/lists/oss-security/2020/01/24/2
Comment 2 Larry the Git Cow gentoo-dev 2021-07-16 08:54:26 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d0d5aabee9dc3d54e42ab291daab4995def8d8e6

commit d0d5aabee9dc3d54e42ab291daab4995def8d8e6
Author:     Volkmar W. Pogatzki <gentoo@pogatzki.net>
AuthorDate: 2021-07-16 08:28:24 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2021-07-16 08:54:24 +0000

    package.mask: last-rite dev-java/xmlrpc
    
    Bug: https://bugs.gentoo.org/713098
    
    Signed-off-by: Volkmar W. Pogatzki <gentoo@pogatzki.net>
    Closes: https://github.com/gentoo/gentoo/pull/21673
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 profiles/package.mask | 5 +++++
 1 file changed, 5 insertions(+)
Comment 3 Larry the Git Cow gentoo-dev 2021-08-14 19:13:05 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ebd8cc5a482a443f3af3965678bff2fe317c228c

commit ebd8cc5a482a443f3af3965678bff2fe317c228c
Author:     Jakov Smolic <jakov.smolic@sartura.hr>
AuthorDate: 2021-08-14 19:12:31 +0000
Commit:     David Seifert <soap@gentoo.org>
CommitDate: 2021-08-14 19:12:31 +0000

    dev-java/xmlrpc: Remove last-rited pkg
    
    Bug: https://bugs.gentoo.org/713098
    Signed-off-by: Jakov Smolic <jakov.smolic@sartura.hr>
    Signed-off-by: David Seifert <soap@gentoo.org>

 dev-java/xmlrpc/Manifest            |  2 --
 dev-java/xmlrpc/metadata.xml        | 13 --------
 dev-java/xmlrpc/xmlrpc-3.1.3.ebuild | 61 -------------------------------------
 profiles/package.mask               |  5 ---
 4 files changed, 81 deletions(-)
Comment 4 Larry the Git Cow gentoo-dev 2024-01-22 14:38:04 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=6ee7e022f8f6a1893b71cb4e09707f9eb56fa40b

commit 6ee7e022f8f6a1893b71cb4e09707f9eb56fa40b
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2024-01-22 14:37:11 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2024-01-22 14:37:59 +0000

    [ GLSA 202401-26 ] Apache XML-RPC: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/713098
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202401-26.xml | 42 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 42 insertions(+)