cbcvebase.
CVE-2019-17570
published 2020-01-23

CVE-2019-17570: An untrusted deserialization was found in the org.apache.xmlrpc.parser.XmlRpcResponseParser:addResult method of Apache XML-RPC (aka ws-xmlrpc) library. A…

PriorityP270critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
49.29%
98.7th percentile
An untrusted deserialization was found in the org.apache.xmlrpc.parser.XmlRpcResponseParser:addResult method of Apache XML-RPC (aka ws-xmlrpc) library. A malicious XML-RPC server could target a XML-RPC client causing it to execute arbitrary code. Apache XML-RPC is no longer maintained and this issue will not be fixed.

Affected

13 ranges
VendorProductVersion rangeFixed in
apacheapache_xml-rpc
apachexml-rpc
apachexml-rpc
apachexml-rpc
apachexml-rpc
canonicalubuntu_linux
canonicalubuntu_linux
debiandebian_linux
debiandebian_linux
debiandebian_linux
fedoraprojectfedora
fedoraprojectfedora
redhatsoftware_collections

Detection & IOCsextracted from sources · hover to see the quote

  • The vulnerable code path is in the `org.apache.xmlrpc.parser.XmlRpcResponseParser:addResult` method — monitor for deserialization activity triggered from this method in Java stack traces or application logs.
  • The exploit vector is the `faultCause` attribute in an XMLRPC error response — inspect XML-RPC traffic for responses containing a `faultCause` element carrying a serialized Java object (base64-encoded byte stream).
  • The vulnerability is exploitable in default configuration — any Apache XML-RPC client connecting to an untrusted server is at risk without any special client-side configuration required by the attacker.
  • This vulnerability is distinct from CVE-2016-5003 which used `ex:serializable` type; CVE-2019-17570 abuses the `faultCause` deserialization path — ensure detection rules cover both vectors separately.
  • The vulnerable feature (`faultCause` deserialization) was introduced in xmlrpc 3.1 — target detection efforts at deployments running Apache XML-RPC 3.1 or later.
  • ·The client deserializes `faultCause` regardless of whether `enabledForExceptions` is set — the client-side guard is not enforced, making the attack possible even when the client has not opted in to receiving serialized exceptions.
  • ·The proposed patch fixes the issue by skipping `faultCause` processing when `enabledForExceptions` is false (the default) — after patching, clients must explicitly set `enabledForExceptions=true` to receive deserialized server-side exceptions.
  • ·There is no known mitigation short of blocking connections to untrusted XML-RPC servers — the library is no longer maintained and will not receive an official upstream fix.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_redhat9.8CRITICAL
vendor_ubuntu9.8CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.