Vulnerabilities > CVE-2019-17570 - Deserialization of Untrusted Data vulnerability in multiple products
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
An untrusted deserialization was found in the org.apache.xmlrpc.parser.XmlRpcResponseParser:addResult method of Apache XML-RPC (aka ws-xmlrpc) library. A malicious XML-RPC server could target a XML-RPC client causing it to execute arbitrary code. Apache XML-RPC is no longer maintained and this issue will not be fixed.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 4 | |
| Application | 1 | |
| OS | 3 | |
| OS | 2 | |
| OS | 2 | |
| OS | 5 |
Common Weakness Enumeration (CWE)
Nessus
NASL family Debian Local Security Checks NASL id DEBIAN_DLA-2078.NASL description An untrusted deserialization was found in the org.apache.xmlrpc.parser.XmlRpcResponseParser:addResult method of Apache XML-RPC (aka ws-xmlrpc) library. A malicious XML-RPC server could target a XML-RPC client causing it to execute arbitrary code. Clients that expect to get server-side exceptions need to set the enabledForExceptions property to true in order to process serialized exception messages again. For Debian 8 last seen 2020-06-01 modified 2020-06-02 plugin id 133362 published 2020-01-31 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/133362 title Debian DLA-2078-1 : libxmlrpc3-java security update code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DLA-2078-1. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(133362); script_version("1.3"); script_cvs_date("Date: 2020/02/04"); script_cve_id("CVE-2019-17570"); script_name(english:"Debian DLA-2078-1 : libxmlrpc3-java security update"); script_summary(english:"Checks dpkg output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security update." ); script_set_attribute( attribute:"description", value: "An untrusted deserialization was found in the org.apache.xmlrpc.parser.XmlRpcResponseParser:addResult method of Apache XML-RPC (aka ws-xmlrpc) library. A malicious XML-RPC server could target a XML-RPC client causing it to execute arbitrary code. Clients that expect to get server-side exceptions need to set the enabledForExceptions property to true in order to process serialized exception messages again. For Debian 8 'Jessie', this problem has been fixed in version 3.1.3-7+deb8u1. We recommend that you upgrade your libxmlrpc3-java packages. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://lists.debian.org/debian-lts-announce/2020/01/msg00033.html" ); script_set_attribute( attribute:"see_also", value:"https://packages.debian.org/source/jessie/libxmlrpc3-java" ); script_set_attribute(attribute:"solution", value:"Upgrade the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-17570"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libxmlrpc3-client-java"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libxmlrpc3-common-java"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libxmlrpc3-java-doc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libxmlrpc3-server-java"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:8.0"); script_set_attribute(attribute:"vuln_publication_date", value:"2020/01/23"); script_set_attribute(attribute:"patch_publication_date", value:"2020/01/30"); script_set_attribute(attribute:"plugin_publication_date", value:"2020/01/31"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"8.0", prefix:"libxmlrpc3-client-java", reference:"3.1.3-7+deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"libxmlrpc3-common-java", reference:"3.1.3-7+deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"libxmlrpc3-java-doc", reference:"3.1.3-7+deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"libxmlrpc3-server-java", reference:"3.1.3-7+deb8u1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Debian Local Security Checks NASL id DEBIAN_DSA-4619.NASL description Guillaume Teissier reported that the XMLRPC client in libxmlrpc3-java, an XML-RPC implementation in Java, does perform deserialization of the server-side exception serialized in the faultCause attribute of XMLRPC error response messages. A malicious XMLRPC server can take advantage of this flaw to execute arbitrary code with the privileges of an application using the Apache XMLRPC client library. Note that a client that expects to get server-side exceptions need to set explicitly the enabledForExceptions property. last seen 2020-06-01 modified 2020-06-02 plugin id 133534 published 2020-02-07 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/133534 title Debian DSA-4619-1 : libxmlrpc3-java - security update code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-4619. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(133534); script_version("1.2"); script_cvs_date("Date: 2020/02/13"); script_cve_id("CVE-2019-17570"); script_xref(name:"DSA", value:"4619"); script_name(english:"Debian DSA-4619-1 : libxmlrpc3-java - security update"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Guillaume Teissier reported that the XMLRPC client in libxmlrpc3-java, an XML-RPC implementation in Java, does perform deserialization of the server-side exception serialized in the faultCause attribute of XMLRPC error response messages. A malicious XMLRPC server can take advantage of this flaw to execute arbitrary code with the privileges of an application using the Apache XMLRPC client library. Note that a client that expects to get server-side exceptions need to set explicitly the enabledForExceptions property." ); script_set_attribute( attribute:"see_also", value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=949089" ); # https://security-tracker.debian.org/tracker/source-package/libxmlrpc3-java script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?5fb81123" ); script_set_attribute( attribute:"see_also", value:"https://packages.debian.org/source/stretch/libxmlrpc3-java" ); script_set_attribute( attribute:"see_also", value:"https://packages.debian.org/source/buster/libxmlrpc3-java" ); script_set_attribute( attribute:"see_also", value:"https://www.debian.org/security/2020/dsa-4619" ); script_set_attribute( attribute:"solution", value: "Upgrade the libxmlrpc3-java packages. For the oldstable distribution (stretch), this problem has been fixed in version 3.1.3-8+deb9u1. For the stable distribution (buster), this problem has been fixed in version 3.1.3-9+deb10u1." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libxmlrpc3-java"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:10.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:9.0"); script_set_attribute(attribute:"vuln_publication_date", value:"2020/01/23"); script_set_attribute(attribute:"patch_publication_date", value:"2020/02/06"); script_set_attribute(attribute:"plugin_publication_date", value:"2020/02/07"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"10.0", prefix:"libxmlrpc3-client-java", reference:"3.1.3-9+deb10u1")) flag++; if (deb_check(release:"10.0", prefix:"libxmlrpc3-common-java", reference:"3.1.3-9+deb10u1")) flag++; if (deb_check(release:"10.0", prefix:"libxmlrpc3-java-doc", reference:"3.1.3-9+deb10u1")) flag++; if (deb_check(release:"10.0", prefix:"libxmlrpc3-server-java", reference:"3.1.3-9+deb10u1")) flag++; if (deb_check(release:"9.0", prefix:"libxmlrpc3-client-java", reference:"3.1.3-8+deb9u1")) flag++; if (deb_check(release:"9.0", prefix:"libxmlrpc3-common-java", reference:"3.1.3-8+deb9u1")) flag++; if (deb_check(release:"9.0", prefix:"libxmlrpc3-java-doc", reference:"3.1.3-8+deb9u1")) flag++; if (deb_check(release:"9.0", prefix:"libxmlrpc3-server-java", reference:"3.1.3-8+deb9u1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
Redhat
| advisories |
| ||||
| rpms |
|
References
- https://lists.apache.org/thread.html/846551673bbb7ec8d691008215384bcef03a3fb004d2da845cfe88ee%401390230951%40%3Cdev.ws.apache.org%3E
- http://www.openwall.com/lists/oss-security/2020/01/24/2
- https://lists.debian.org/debian-lts-announce/2020/01/msg00033.html
- https://access.redhat.com/errata/RHSA-2020:0310
- https://www.debian.org/security/2020/dsa-4619
- https://seclists.org/bugtraq/2020/Feb/8
- https://usn.ubuntu.com/4496-1/
- https://github.com/orangecertcc/security-research/security/advisories/GHSA-x2r6-4m45-m4jp
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-17570%3B
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I3QCRLJYQRGVTIYF4BXYRFSF3ONP3TBF/
- https://security.gentoo.org/glsa/202401-26