SB2024012237 - Gentoo update for Apache XML-RPC
Published: January 22, 2024
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 secuirty vulnerabilities.
1) XML External Entity injection (CVE-ID: CVE-2016-5002)
The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
XML external entity (XXE) vulnerability in the Apache XML-RPC (aka ws-xmlrpc) library 3.1.3, as used in Apache Archiva, allows remote attackers to conduct server-side request forgery (SSRF) attacks via a crafted DTD.
2) Deserialization of untrusted data (CVE-ID: CVE-2016-5003)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to improper deserialization of untrusted Java objects. A remote attacker can send a request that submits a malicious serialized Java object in an <ex:serializable> element and execute arbitrary code with elevated privileges.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
3) Deserialization of Untrusted Data (CVE-ID: CVE-2019-17570)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to insecure input validation when processing serialized data within the org.apache.xmlrpc.parser.XmlRpcResponseParser:addResult() method in Apache XML-RPC (aka ws-xmlrpc) library. A malicious XML-RPC server could target a XML-RPC client causing it to execute arbitrary code.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Remediation
Install update from vendor's website.