Red Hat Bugzilla – Bug 1508123
CVE-2016-5003 xmlrpc: Deserialization of untrusted Java object through <ex:serializable> tag
Last modified: 2018-08-18 07:28:53 EDT
The Apache XML-RPC (aka ws-xmlrpc) library 3.1.3, as used in Apache Archiva, allows remote attackers to execute arbitrary code via a crafted serialized Java object in an <ex:serializable> element. References: http://www.openwall.com/lists/oss-security/2016/07/12/5 https://0ang3el.blogspot.in/2016/07/beware-of-ws-xmlrpc-library-in-your.html
Created xmlrpc tracking bugs for this issue: Affects: fedora-all [bug 1508124]
Mitigation: Setting enabledForExtensions is false by default, thus <ex:serializable> elements are not automatically deserialized. However, if you have it enabled and you don't need any of the provided functions (https://ws.apache.org/xmlrpc/extensions.html) we suggest you disable it.
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2018:1779 https://access.redhat.com/errata/RHSA-2018:1779
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2018:1780 https://access.redhat.com/errata/RHSA-2018:1780
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS Via RHSA-2018:1784 https://access.redhat.com/errata/RHSA-2018:1784
This vulnerability can also affect xmlrpc clients, if they may be used against untrusted servers.
This issue has been addressed in the following products: Red Hat Virtualization 4 for Red Hat Enterprise Linux 7 Via RHSA-2018:2317 https://access.redhat.com/errata/RHSA-2018:2317