CVE-2019-17570

NameCVE-2019-17570
DescriptionAn untrusted deserialization was found in the org.apache.xmlrpc.parser.XmlRpcResponseParser:addResult method of Apache XML-RPC (aka ws-xmlrpc) library. A malicious XML-RPC server could target a XML-RPC client causing it to execute arbitrary code. Apache XML-RPC is no longer maintained and this issue will not be fixed.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-2078-1, DSA-4619-1
NVD severityhigh
Debian Bugs949089

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libxmlrpc3-java (PTS)jessie3.1.3-7vulnerable
jessie (security)3.1.3-7+deb8u1fixed
stretch3.1.3-8vulnerable
stretch (security)3.1.3-8+deb9u1fixed
buster3.1.3-9vulnerable
buster (security)3.1.3-9+deb10u1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libxmlrpc3-javasource(unstable)(unfixed)949089
libxmlrpc3-javasourcebuster3.1.3-9+deb10u1DSA-4619-1
libxmlrpc3-javasourcejessie3.1.3-7+deb8u1DLA-2078-1
libxmlrpc3-javasourcestretch3.1.3-8+deb9u1DSA-4619-1

Notes

https://www.openwall.com/lists/oss-security/2020/01/16/1
Proposed patch: https://bugzilla.redhat.com/show_bug.cgi?id=1775193
https://github.com/orangecertcc/xmlrpc-common-deserialization

Search for package or bug name: Reporting problems