Detections
Analytics

GLSA-202401-26 : Apache XML-RPC: Multiple Vulnerabilities

critical Nessus Plugin ID 189291

Language:

Description

The remote host is affected by the vulnerability described in GLSA-202401-26 (Apache XML-RPC: Multiple Vulnerabilities)

 - XML external entity (XXE) vulnerability in the Apache XML-RPC (aka ws-xmlrpc) library 3.1.3, as used in Apache Archiva, allows remote attackers to conduct server-side request forgery (SSRF) attacks via a crafted DTD. (CVE-2016-5002)

 - The Apache XML-RPC (aka ws-xmlrpc) library 3.1.3, as used in Apache Archiva, allows remote attackers to execute arbitrary code via a crafted serialized Java object in an <ex:serializable> element.
 (CVE-2016-5003)

 - An untrusted deserialization was found in the org.apache.xmlrpc.parser.XmlRpcResponseParser:addResult method of Apache XML-RPC (aka ws-xmlrpc) library. A malicious XML-RPC server could target a XML-RPC client causing it to execute arbitrary code. Apache XML-RPC is no longer maintained and this issue will not be fixed. (CVE-2019-17570)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Gentoo has discontinued support for Apache XML-RPC. We recommend that users unmerge it:

 # emerge --ask --depclean dev-java/xmlrpc

See Also

https://security.gentoo.org/glsa/202401-26

https://bugs.gentoo.org/show_bug.cgi?id=713098

Plugin Details

Severity: Critical

ID: 189291

File Name: gentoo_GLSA-202401-26.nasl

Version: 1.0

Type: local

Published: 1/22/2024

Updated: 1/22/2024

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: High

Base Score: 9.3

Temporal Score: 7.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2016-5002

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS Score Source: CVE-2019-17570

Vulnerability Information

CPE: cpe:/o:gentoo:linux

Required KB Items: Host/local_checks_enabled, Host/Gentoo/release, Host/Gentoo/qpkg-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 1/22/2024

Vulnerability Publication Date: 7/12/2016

Reference Information

CVE: CVE-2016-5002, CVE-2016-5003, CVE-2019-17570