The Apache XML-RPC (aka ws-xmlrpc) library 3.1.3, as used in Apache Archiva, allows remote attackers to execute arbitrary code via a crafted serialized Java object in an <ex:serializable> element. References: http://www.openwall.com/lists/oss-security/2016/07/12/5 https://0ang3el.blogspot.in/2016/07/beware-of-ws-xmlrpc-library-in-your.html
Created xmlrpc tracking bugs for this issue: Affects: fedora-all [bug 1508124]
Mitigation: Setting enabledForExtensions is false by default, thus <ex:serializable> elements are not automatically deserialized. However, if you have it enabled and you don't need any of the provided functions (https://ws.apache.org/xmlrpc/extensions.html) we suggest you disable it.
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2018:1779 https://access.redhat.com/errata/RHSA-2018:1779
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2018:1780 https://access.redhat.com/errata/RHSA-2018:1780
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS Via RHSA-2018:1784 https://access.redhat.com/errata/RHSA-2018:1784
This vulnerability can also affect xmlrpc clients, if they may be used against untrusted servers.
This issue has been addressed in the following products: Red Hat Virtualization 4 for Red Hat Enterprise Linux 7 Via RHSA-2018:2317 https://access.redhat.com/errata/RHSA-2018:2317
This issue has been addressed in the following products: Red Hat Fuse 7.2 Via RHSA-2018:3768 https://access.redhat.com/errata/RHSA-2018:3768
Upstream Patch: https://src.fedoraproject.org/rpms/xmlrpc/c/ef4efbf91d241070f6f41950f7536049688a3a67?branch=master