Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 713098 (CVE-2016-5002, CVE-2016-5003, CVE-2019-17570) - dev-java/xmlrpc: Multiple vulnerabilities (CVE-2016-{5002,5003}. CVE-2019-17570)
Summary: dev-java/xmlrpc: Multiple vulnerabilities (CVE-2016-{5002,5003}. CVE-2019-17570)
Status: IN_PROGRESS
Alias: CVE-2016-5002, CVE-2016-5003, CVE-2019-17570
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B2 [upstream/ebuild cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-03-18 01:12 UTC by Sam James
Modified: 2020-09-20 02:48 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester gentoo-dev Security 2020-03-18 01:12:15 UTC
1) CVE-2016-5002:
Description:
"XML external entity (XXE) vulnerability in the Apache XML-RPC (aka ws-xmlrpc) library 3.1.3, as used in Apache Archiva, allows remote attackers to conduct server-side request forgery (SSRF) attacks via a crafted DTD."

URL: https://bugzilla.redhat.com/show_bug.cgi?id=1508110

2) CVE-2016-5003:
Description:
"The Apache XML-RPC (aka ws-xmlrpc) library 3.1.3, as used in Apache Archiva, allows remote attackers to execute arbitrary code via a crafted serialized Java object in an <ex:serializable> element."

URL: https://bugzilla.redhat.com/show_bug.cgi?id=1508123

---

Fedora: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/5AEMJ2ZNFZVGVMACAZMQQCBOFBVUTNZA/

Patches:
https://src.fedoraproject.org/rpms/xmlrpc/c/2db59ec8a8b4d358802e98ce0151af84d7b93752?branch=master
https://src.fedoraproject.org/rpms/xmlrpc/c/ef4efbf91d241070f6f41950f7536049688a3a67?branch=master

Not clear if this has been fixed upstream at all.
Comment 1 John Helmert III gentoo-dev Security 2020-09-20 02:48:40 UTC
CVE-2019-17570:

An untrusted deserialization was found in the org.apache.xmlrpc.parser.XmlRpcResponseParser:addResult method of Apache XML-RPC (aka ws-xmlrpc) library. A malicious XML-RPC server could target a XML-RPC client causing it to execute arbitrary code. Apache XML-RPC is no longer maintained and this issue will not be fixed.


Patch from Bugzilla (https://bugzilla.redhat.com/show_bug.cgi?id=1775193): https://bugzilla.redhat.com/attachment.cgi?id=1644752&action=diff

This seems to indicate xmlrpc is no longer maintained: https://www.openwall.com/lists/oss-security/2020/01/24/2