The Apache XML-RPC (aka ws-xmlrpc) library 3.1.3, as used in Apache Archiva, allows remote attackers to execute arbitrary code via a crafted serialized Java object in an ex:serializable element.
Weakness
The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Ws-xmlrpc | Apache | 3.1.3 (including) | 3.1.3 (including) |
| Red Hat Enterprise Linux 6 | RedHat | xmlrpc3-0:3.0-4.17.el6_9 | * |
| Red Hat Enterprise Linux 7 | RedHat | xmlrpc-1:3.1.3-9.el7_5 | * |
| Red Hat Fuse 7.2 | RedHat | camel | * |
| Red Hat Software Collections for Red Hat Enterprise Linux 6 | RedHat | rh-java-common-xmlrpc-1:3.1.3-8.16.el6 | * |
| Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS | RedHat | rh-java-common-xmlrpc-1:3.1.3-8.16.el6 | * |
| Red Hat Software Collections for Red Hat Enterprise Linux 7 | RedHat | rh-java-common-xmlrpc-1:3.1.3-8.16.el7 | * |
| Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS | RedHat | rh-java-common-xmlrpc-1:3.1.3-8.16.el7 | * |
| Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS | RedHat | rh-java-common-xmlrpc-1:3.1.3-8.16.el7 | * |
| Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS | RedHat | rh-java-common-xmlrpc-1:3.1.3-8.16.el7 | * |
| Red Hat Virtualization 4 for Red Hat Enterprise Linux 7 | RedHat | xmlrpc-1:3.1.3-9.el7_5 | * |
Potential Mitigations
- Make fields transient to protect them from deserialization.
- An attempt to serialize and then deserialize a class containing transient fields will result in NULLs where the transient data should be. This is an excellent way to prevent time, environment-based, or sensitive variables from being carried over and used improperly.
Related Attack Patterns
References
- http://www.openwall.com/lists/oss-security/2016/07/12/5
- http://www.openwall.com/lists/oss-security/2020/01/16/1
- http://www.openwall.com/lists/oss-security/2020/01/24/2
- http://www.securityfocus.com/bid/91736
- http://www.securityfocus.com/bid/91738
- http://www.securitytracker.com/id/1036294
- https://0ang3el.blogspot.ru/2016/07/beware-of-ws-xmlrpc-library-in-your.html
- https://access.redhat.com/errata/RHSA-2018:1779
- https://access.redhat.com/errata/RHSA-2018:1780
- https://access.redhat.com/errata/RHSA-2018:1784
- https://access.redhat.com/errata/RHSA-2018:2317
- https://access.redhat.com/errata/RHSA-2018:3768
- https://exchange.xforce.ibmcloud.com/vulnerabilities/115043
- https://security.gentoo.org/glsa/202401-26
- http://www.openwall.com/lists/oss-security/2016/07/12/5
- http://www.openwall.com/lists/oss-security/2020/01/16/1
- http://www.openwall.com/lists/oss-security/2020/01/24/2
- http://www.securityfocus.com/bid/91736
- http://www.securityfocus.com/bid/91738
- http://www.securitytracker.com/id/1036294
- https://0ang3el.blogspot.ru/2016/07/beware-of-ws-xmlrpc-library-in-your.html
- https://access.redhat.com/errata/RHSA-2018:1779
- https://access.redhat.com/errata/RHSA-2018:1780
- https://access.redhat.com/errata/RHSA-2018:1784
- https://access.redhat.com/errata/RHSA-2018:2317
- https://access.redhat.com/errata/RHSA-2018:3768
- https://exchange.xforce.ibmcloud.com/vulnerabilities/115043
- https://security.gentoo.org/glsa/202401-26