CVE-2019-17570
published 2020-01-23CVE-2019-17570: An untrusted deserialization was found in the org.apache.xmlrpc.parser.XmlRpcResponseParser:addResult method of Apache XML-RPC (aka ws-xmlrpc) library. A…
PriorityP270critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
49.29%
98.7th percentile
An untrusted deserialization was found in the org.apache.xmlrpc.parser.XmlRpcResponseParser:addResult method of Apache XML-RPC (aka ws-xmlrpc) library. A malicious XML-RPC server could target a XML-RPC client causing it to execute arbitrary code. Apache XML-RPC is no longer maintained and this issue will not be fixed.
Affected
13 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | apache_xml-rpc | — | — |
| apache | xml-rpc | — | — |
| apache | xml-rpc | — | — |
| apache | xml-rpc | — | — |
| apache | xml-rpc | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| redhat | software_collections | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →The vulnerable code path is in the `org.apache.xmlrpc.parser.XmlRpcResponseParser:addResult` method — monitor for deserialization activity triggered from this method in Java stack traces or application logs. ↗
- →The exploit vector is the `faultCause` attribute in an XMLRPC error response — inspect XML-RPC traffic for responses containing a `faultCause` element carrying a serialized Java object (base64-encoded byte stream). ↗
- →The vulnerability is exploitable in default configuration — any Apache XML-RPC client connecting to an untrusted server is at risk without any special client-side configuration required by the attacker. ↗
- →This vulnerability is distinct from CVE-2016-5003 which used `ex:serializable` type; CVE-2019-17570 abuses the `faultCause` deserialization path — ensure detection rules cover both vectors separately. ↗
- →The vulnerable feature (`faultCause` deserialization) was introduced in xmlrpc 3.1 — target detection efforts at deployments running Apache XML-RPC 3.1 or later. ↗
- ·The client deserializes `faultCause` regardless of whether `enabledForExceptions` is set — the client-side guard is not enforced, making the attack possible even when the client has not opted in to receiving serialized exceptions. ↗
- ·The proposed patch fixes the issue by skipping `faultCause` processing when `enabledForExceptions` is false (the default) — after patching, clients must explicitly set `enabledForExceptions=true` to receive deserialized server-side exceptions. ↗
- ·There is no known mitigation short of blocking connections to untrusted XML-RPC servers — the library is no longer maintained and will not receive an official upstream fix. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_redhat9.8CRITICAL
vendor_ubuntu9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Apache XML-RPC vulnerability
osv·2020-09-15·CVSS 9.8
CVE-2019-17570 [CRITICAL] Apache XML-RPC vulnerability
Apache XML-RPC vulnerability
It was discovered that Apache XML-RPC (aka ws-xmlrpc) does not properly
deserialize untrusted data. An attacker could possibly use this issue to
execute arbitrary code. (CVE-2019-17570)
GHSA
Insecure Deserialization in Apache XML-RPC
ghsa·2020-06-10
CVE-2019-17570 [CRITICAL] CWE-502 Insecure Deserialization in Apache XML-RPC
Insecure Deserialization in Apache XML-RPC
An untrusted deserialization was found in the org.apache.xmlrpc.parser.XmlRpcResponseParser:addResult method of Apache XML-RPC (aka ws-xmlrpc) library. A malicious XML-RPC server could target a XML-RPC client causing it to execute arbitrary code.
Apache XML-RPC is no longer maintained and this issue will not be fixed.
OSV
Insecure Deserialization in Apache XML-RPC
osv·2020-06-10
CVE-2019-17570 [CRITICAL] Insecure Deserialization in Apache XML-RPC
Insecure Deserialization in Apache XML-RPC
An untrusted deserialization was found in the org.apache.xmlrpc.parser.XmlRpcResponseParser:addResult method of Apache XML-RPC (aka ws-xmlrpc) library. A malicious XML-RPC server could target a XML-RPC client causing it to execute arbitrary code.
Apache XML-RPC is no longer maintained and this issue will not be fixed.
OSV
CVE-2019-17570: An untrusted deserialization was found in the org
osv·2020-01-23·CVSS 9.8
CVE-2019-17570 [CRITICAL] CVE-2019-17570: An untrusted deserialization was found in the org
An untrusted deserialization was found in the org.apache.xmlrpc.parser.XmlRpcResponseParser:addResult method of Apache XML-RPC (aka ws-xmlrpc) library. A malicious XML-RPC server could target a XML-RPC client causing it to execute arbitrary code. Apache XML-RPC is no longer maintained and this issue will not be fixed.
Ubuntu
Apache XML-RPC vulnerability
vendor_ubuntu·2020-09-15·CVSS 9.8
CVE-2019-17570 [CRITICAL] Apache XML-RPC vulnerability
Title: Apache XML-RPC vulnerability
Summary: Apache XML-RPC could be made to execute arbitrary code if it received
specially crafted data by a malicious XML-RPC server.
It was discovered that Apache XML-RPC (aka ws-xmlrpc) does not properly
deserialize untrusted data. An attacker could possibly use this issue to
execute arbitrary code. (CVE-2019-17570)
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
xmlrpc: Deserialization of server-side exception from faultCause in XMLRPC error response
vendor_redhat·2020-01-16·CVSS 9.8
CVE-2019-17570 [CRITICAL] CWE-502 xmlrpc: Deserialization of server-side exception from faultCause in XMLRPC error response
xmlrpc: Deserialization of server-side exception from faultCause in XMLRPC error response
An untrusted deserialization was found in the org.apache.xmlrpc.parser.XmlRpcResponseParser:addResult method of Apache XML-RPC (aka ws-xmlrpc) library. A malicious XML-RPC server could target a XML-RPC client causing it to execute arbitrary code. Apache XML-RPC is no longer maintained and this issue will not be fixed.
A flaw was discovered where the XMLRPC client implementation in Apache XMLRPC, performed deserialization of the server-side exception serialized in the faultCause attribute of XMLRPC error response messages. A malicious or compromised XMLRPC server could possibly use this flaw to execute arbitrary code with the privileges of an application using the Apache XMLRPC client library.
State
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2019-17570 xmlrpc: Deserialization of server-side exception from faultCause in XMLRPC error response [fedora-all]
bugzilla·2020-01-16·CVSS 9.8
CVE-2019-17570 [CRITICAL] CVE-2019-17570 xmlrpc: Deserialization of server-side exception from faultCause in XMLRPC error response [fedora-all]
CVE-2019-17570 xmlrpc: Deserialization of server-side exception from faultCause in XMLRPC error response [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this i
Bugzilla
CVE-2019-17570 xmlrpc: Deserialization of server-side exception from faultCause in XMLRPC error response
bugzilla·2019-11-21·CVSS 9.8
CVE-2019-17570 [CRITICAL] CVE-2019-17570 xmlrpc: Deserialization of server-side exception from faultCause in XMLRPC error response
CVE-2019-17570 xmlrpc: Deserialization of server-side exception from faultCause in XMLRPC error response
Guillaume Teissier reported a flaw in Apache XMLRPC:
Java untrusted deserialization in faultCause when processing an XMLRPC response. XMLRPC clients are thus targeted by this vulnerability, and rogue XMLRPC servers may gain arbitrary code execution on the XMLRPC client.
The vulnerability lays in the org.apache.xmlrpc.parser.XmlRpcResponseParser:addResult(Object) method.
This vulnerability is different from CVE-2016-5003, which uses ex:serializable type to perform deserialization. This new vulnerability only affects XMLRPC clients, which will receive response, possible faults. It is exploitable in default configuration.
Discussion:
Acknowledgments:
Name: Guillaume Teissier (Orange
http://www.openwall.com/lists/oss-security/2020/01/24/2https://access.redhat.com/errata/RHSA-2020:0310https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-17570%3Bhttps://github.com/orangecertcc/security-research/security/advisories/GHSA-x2r6-4m45-m4jphttps://lists.apache.org/thread.html/846551673bbb7ec8d691008215384bcef03a3fb004d2da845cfe88ee%401390230951%40%3Cdev.ws.apache.org%3Ehttps://lists.debian.org/debian-lts-announce/2020/01/msg00033.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I3QCRLJYQRGVTIYF4BXYRFSF3ONP3TBF/https://seclists.org/bugtraq/2020/Feb/8https://security.gentoo.org/glsa/202401-26https://usn.ubuntu.com/4496-1/https://www.debian.org/security/2020/dsa-4619http://www.openwall.com/lists/oss-security/2020/01/24/2https://access.redhat.com/errata/RHSA-2020:0310https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-17570%3Bhttps://github.com/orangecertcc/security-research/security/advisories/GHSA-x2r6-4m45-m4jphttps://lists.apache.org/thread.html/846551673bbb7ec8d691008215384bcef03a3fb004d2da845cfe88ee%401390230951%40%3Cdev.ws.apache.org%3Ehttps://lists.debian.org/debian-lts-announce/2020/01/msg00033.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I3QCRLJYQRGVTIYF4BXYRFSF3ONP3TBF/https://seclists.org/bugtraq/2020/Feb/8https://security.gentoo.org/glsa/202401-26https://usn.ubuntu.com/4496-1/https://www.debian.org/security/2020/dsa-4619
2020-01-23
Published