CVE-2016-5003
published 2017-10-27CVE-2016-5003: The Apache XML-RPC (aka ws-xmlrpc) library 3.1.3, as used in Apache Archiva, allows remote attackers to execute arbitrary code via a crafted serialized Java…
PriorityP264critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
14.88%
96.3th percentile
The Apache XML-RPC (aka ws-xmlrpc) library 3.1.3, as used in Apache Archiva, allows remote attackers to execute arbitrary code via a crafted serialized Java object in an element.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | ws-xmlrpc | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →The attack vector is a crafted serialized Java object delivered inside an <ex:serializable> XML element in an XML-RPC request. Detection should focus on XML-RPC traffic containing the <ex:serializable> tag. ↗
- →The vulnerability is only exploitable when the 'enabledForExtensions' server-side configuration property is set to true. Audit server configurations for this setting. ↗
- →This CVE specifically uses the ex:serializable type in the XML-RPC payload to trigger deserialization, distinguishing it from CVE-2019-17570 which uses faultCause. Signature-based detection should look for 'ex:serializable' in XML-RPC request bodies. ↗
- →The vulnerability can also be triggered against XMLRPC clients if they connect to a malicious/untrusted server, not just servers receiving crafted requests. ↗
- ·The vulnerability is only exploitable when 'enabledForExtensions' is set to true on the server. It is false by default, so default installations are not vulnerable. ↗
- ·Affected library version is Apache XML-RPC (ws-xmlrpc) 3.1.3. Older versions shipped with RHEL 5/6 that predate the relevant code additions may not be affected. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vendor_redhat9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Apache XML-RPC vulnerable to Deserialization of Untrusted Data
ghsa·2022-05-14
CVE-2016-5003 [CRITICAL] CWE-502 Apache XML-RPC vulnerable to Deserialization of Untrusted Data
Apache XML-RPC vulnerable to Deserialization of Untrusted Data
The Apache XML-RPC (aka ws-xmlrpc) library 3.1.3, as used in Apache Archiva, allows remote attackers to execute arbitrary code via a crafted serialized Java object in an element.
OSV
Apache XML-RPC vulnerable to Deserialization of Untrusted Data
osv·2022-05-14
CVE-2016-5003 [CRITICAL] Apache XML-RPC vulnerable to Deserialization of Untrusted Data
Apache XML-RPC vulnerable to Deserialization of Untrusted Data
The Apache XML-RPC (aka ws-xmlrpc) library 3.1.3, as used in Apache Archiva, allows remote attackers to execute arbitrary code via a crafted serialized Java object in an element.
Red Hat
xmlrpc: Deserialization of untrusted Java object through <ex:serializable> tag
vendor_redhat·2016-05-24·CVSS 9.8
CVE-2016-5003 [CRITICAL] CWE-502 xmlrpc: Deserialization of untrusted Java object through <ex:serializable> tag
xmlrpc: Deserialization of untrusted Java object through tag
The Apache XML-RPC (aka ws-xmlrpc) library 3.1.3, as used in Apache Archiva, allows remote attackers to execute arbitrary code via a crafted serialized Java object in an element.
A flaw was discovered in the Apache XML-RPC (ws-xmlrpc) library that deserializes untrusted data when enabledForExtensions setting is enabled. A remote attacker could use this vulnerability to execute arbitrary code via a crafted serialized Java object in a element.
Mitigation: Setting enabledForExtensions is false by default, thus elements are not automatically deserialized. However, if you have it enabled and you don't need any of the provided functions (https://ws.apache.org/xmlrpc/extensions.html) we suggest you disable it.
Package: xmlrpc (JBoss
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2019-17570 xmlrpc: Deserialization of server-side exception from faultCause in XMLRPC error response
bugzilla·2019-11-21·CVSS 9.8
CVE-2019-17570 [CRITICAL] CVE-2019-17570 xmlrpc: Deserialization of server-side exception from faultCause in XMLRPC error response
CVE-2019-17570 xmlrpc: Deserialization of server-side exception from faultCause in XMLRPC error response
Guillaume Teissier reported a flaw in Apache XMLRPC:
Java untrusted deserialization in faultCause when processing an XMLRPC response. XMLRPC clients are thus targeted by this vulnerability, and rogue XMLRPC servers may gain arbitrary code execution on the XMLRPC client.
The vulnerability lays in the org.apache.xmlrpc.parser.XmlRpcResponseParser:addResult(Object) method.
This vulnerability is different from CVE-2016-5003, which uses ex:serializable type to perform deserialization. This new vulnerability only affects XMLRPC clients, which will receive response, possible faults. It is exploitable in default configuration.
Discussion:
Acknowledgments:
Name: Guillaume Teissier (Orange
Bugzilla
CVE-2016-5003 xmlrpc: Deserialization of untrusted Java object through <ex:serializable> tag
bugzilla·2017-10-31·CVSS 9.8
CVE-2016-5003 [CRITICAL] CVE-2016-5003 xmlrpc: Deserialization of untrusted Java object through <ex:serializable> tag
CVE-2016-5003 xmlrpc: Deserialization of untrusted Java object through tag
The Apache XML-RPC (aka ws-xmlrpc) library 3.1.3, as used in Apache Archiva, allows remote attackers to execute arbitrary code via a crafted serialized Java object in an element.
References:
http://www.openwall.com/lists/oss-security/2016/07/12/5
https://0ang3el.blogspot.in/2016/07/beware-of-ws-xmlrpc-library-in-your.html
Discussion:
Created xmlrpc tracking bugs for this issue:
Affects: fedora-all [bug 1508124]
---
Mitigation:
Setting enabledForExtensions is false by default, thus elements are not automatically deserialized. However, if you have it enabled and you don't need any of the provided functions (https://ws.apache.org/xmlrpc/extensions.html) we suggest you disable it.
---
This issue has been addr
Bugzilla
CVE-2016-5003 xmlrpc: Deserialization of untrusted Java object through <ex:serializable> tag [fedora-all]
bugzilla·2017-10-31·CVSS 9.8
CVE-2016-5003 [CRITICAL] CVE-2016-5003 xmlrpc: Deserialization of untrusted Java object through <ex:serializable> tag [fedora-all]
CVE-2016-5003 xmlrpc: Deserialization of untrusted Java object through tag [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supporte
arXiv
An In-depth Study of Java Deserialization Remote-Code Execution Exploits and Vulnerabilities
arxiv_fulltext·2022-08-17
An In-depth Study of Java Deserialization Remote-Code Execution Exploits and Vulnerabilities
An In-depth Study of Java Deserialization Remote-Code Execution Exploits and Vulnerabilities
[Imen Sayar]Imen Sayar^
[email protected]
University of Toulouse
Blagnac
France
31070
^ Part of this research was conducted when Imen Sayar was at the University of Luxembourg
[Alexandre Bartel]Alexandre Bartel^*
[email protected]
Umeå University
MIT-Huset
Umeå
Sweden
^*Part of this research was conducted when Alexandre Bartel was at the University of Luxembourg and the University of Copenhagen.
Eric Bodden
[email protected]
Paderborn University
Paderborn
Germany
Yves Le Traon
[email protected]
University of Luxembourg
6, rue Richard Coudenhove-Kalergi
Kirchberg Campus
Luxembourg
L-1359
## Abstract
Nowadays, an increasing number of applications uses deserializatio
http://www.openwall.com/lists/oss-security/2016/07/12/5http://www.openwall.com/lists/oss-security/2020/01/16/1http://www.openwall.com/lists/oss-security/2020/01/24/2http://www.securityfocus.com/bid/91736http://www.securityfocus.com/bid/91738http://www.securitytracker.com/id/1036294https://0ang3el.blogspot.ru/2016/07/beware-of-ws-xmlrpc-library-in-your.htmlhttps://access.redhat.com/errata/RHSA-2018:1779https://access.redhat.com/errata/RHSA-2018:1780https://access.redhat.com/errata/RHSA-2018:1784https://access.redhat.com/errata/RHSA-2018:2317https://access.redhat.com/errata/RHSA-2018:3768https://exchange.xforce.ibmcloud.com/vulnerabilities/115043https://security.gentoo.org/glsa/202401-26http://www.openwall.com/lists/oss-security/2016/07/12/5http://www.openwall.com/lists/oss-security/2020/01/16/1http://www.openwall.com/lists/oss-security/2020/01/24/2http://www.securityfocus.com/bid/91736http://www.securityfocus.com/bid/91738http://www.securitytracker.com/id/1036294https://0ang3el.blogspot.ru/2016/07/beware-of-ws-xmlrpc-library-in-your.htmlhttps://access.redhat.com/errata/RHSA-2018:1779https://access.redhat.com/errata/RHSA-2018:1780https://access.redhat.com/errata/RHSA-2018:1784https://access.redhat.com/errata/RHSA-2018:2317https://access.redhat.com/errata/RHSA-2018:3768https://exchange.xforce.ibmcloud.com/vulnerabilities/115043https://security.gentoo.org/glsa/202401-26
2017-10-27
Published