[Bug 1508123] New: CVE-2016-5003 xmlrpc: Deserialization of untrusted Java object through <ex:serializable> tag
https://bugzilla.redhat.com/show_bug.cgi?id=1508123
Bug ID: 1508123 Summary: CVE-2016-5003 xmlrpc: Deserialization of untrusted Java object through ex:serializable tag Product: Security Response Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team@redhat.com Reporter: psampaio@redhat.com CC: abhgupta@redhat.com, bmcclain@redhat.com, dbhole@redhat.com, dblechte@redhat.com, dwalluck@redhat.com, eedri@redhat.com, hhorak@redhat.com, java-maint@redhat.com, java-sig-commits@lists.fedoraproject.org, jorton@redhat.com, krzysztof.daniel@gmail.com, kseifried@redhat.com, mgoldboi@redhat.com, michal.skrivanek@redhat.com, mizdebsk@redhat.com, msimacek@redhat.com, puntogil@libero.it, sbonazzo@redhat.com, sherold@redhat.com, sochotni@redhat.com, tiwillia@redhat.com, ykaul@redhat.com, ylavi@redhat.com
The Apache XML-RPC (aka ws-xmlrpc) library 3.1.3, as used in Apache Archiva, allows remote attackers to execute arbitrary code via a crafted serialized Java object in an ex:serializable element.
References:
http://www.openwall.com/lists/oss-security/2016/07/12/5 https://0ang3el.blogspot.in/2016/07/beware-of-ws-xmlrpc-library-in-your.html
https://bugzilla.redhat.com/show_bug.cgi?id=1508123
Pedro Sampaio psampaio@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1508124
--- Comment #1 from Pedro Sampaio psampaio@redhat.com --- Created xmlrpc tracking bugs for this issue:
Affects: fedora-all [bug 1508124]
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1508124 [Bug 1508124] CVE-2016-5003 xmlrpc: Deserialization of untrusted Java object through ex:serializable tag [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1508123
Andrej Nemec anemec@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |1508328
https://bugzilla.redhat.com/show_bug.cgi?id=1508123
Andrej Nemec anemec@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC|abhgupta@redhat.com, |sisharma@redhat.com, |kseifried@redhat.com, |smohan@redhat.com, |tiwillia@redhat.com |ssaha@redhat.com, | |vbellur@redhat.com Whiteboard|impact=moderate,public=2016 |impact=moderate,public=2016 |0524,reported=20160524,sour |0524,reported=20160524,sour |ce=cve,cvss3=6.4/CVSS:3.0/A |ce=cve,cvss3=6.4/CVSS:3.0/A |V:N/AC:L/PR:L/UI:N/S:C/C:L/ |V:N/AC:L/PR:L/UI:N/S:C/C:L/ |I:L/A:N,fedora-all/xmlrpc=a |I:L/A:N,fedora-all/xmlrpc=a |ffected,rhel-5/xmlrpc=new,r |ffected,rhel-5/xmlrpc=new,r |hel-6/xmlrpc3=new,rhel-7/xm |hel-6/xmlrpc3=new,rhel-7/xm |lrpc=new,rhev-m-4/xmlrpc=ne |lrpc=new,rhev-m-4/xmlrpc=ne |w,rhev-m-4/xmlrpc-common=ne |w,rhev-m-4/xmlrpc-common=ne |w,rhev-m-3/xmlrpc-common=ne |w,rhev-m-3/xmlrpc-common=ne |w,rhscl-2/rh-java-common-xm |w,rhscl-3/rh-java-common-xm |lrpc=new,storage-console-2/ |lrpc=new,rhscon-2/xmlrpc-co |xmlrpc-common=new,storage-3 |mmon=new,rhes-3/xmlrpc-comm |/xmlrpc-common=new,jbds-8/x |on=new,jbds-8/xmlrpc=new,jb |mlrpc=new,jbds-10/xmlrpc=ne |ds-10/xmlrpc=new,fuse-6/cam |w,fuse-6/camel-xmlrpc=new,o |el-xmlrpc=new |penshift-enterprise-2/camel | |-xmlrpc=new,dts-2/xmlrpc=ne | |w,dts-3/xmlrpc=new |
https://bugzilla.redhat.com/show_bug.cgi?id=1508123
Siddharth Sharma sisharma@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=moderate,public=2016 |impact=moderate,public=2016 |0524,reported=20160524,sour |0524,reported=20160524,sour |ce=cve,cvss3=6.4/CVSS:3.0/A |ce=cve,cvss3=6.4/CVSS:3.0/A |V:N/AC:L/PR:L/UI:N/S:C/C:L/ |V:N/AC:L/PR:L/UI:N/S:C/C:L/ |I:L/A:N,fedora-all/xmlrpc=a |I:L/A:N,fedora-all/xmlrpc=a |ffected,rhel-5/xmlrpc=new,r |ffected,rhel-5/xmlrpc=new,r |hel-6/xmlrpc3=new,rhel-7/xm |hel-6/xmlrpc3=new,rhel-7/xm |lrpc=new,rhev-m-4/xmlrpc=ne |lrpc=new,rhev-m-4/xmlrpc=ne |w,rhev-m-4/xmlrpc-common=ne |w,rhev-m-4/xmlrpc-common=ne |w,rhev-m-3/xmlrpc-common=ne |w,rhev-m-3/xmlrpc-common=ne |w,rhscl-3/rh-java-common-xm |w,rhscl-3/rh-java-common-xm |lrpc=new,rhscon-2/xmlrpc-co |lrpc=new,rhes-3/xmlrpc-comm |mmon=new,rhes-3/xmlrpc-comm |on=new,jbds-8/xmlrpc=new,jb |on=new,jbds-8/xmlrpc=new,jb |ds-10/xmlrpc=new,fuse-6/cam |ds-10/xmlrpc=new,fuse-6/cam |el-xmlrpc=new |el-xmlrpc=new |
https://bugzilla.redhat.com/show_bug.cgi?id=1508123
Siddharth Sharma sisharma@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=moderate,public=2016 |impact=moderate,public=2016 |0524,reported=20160524,sour |0524,reported=20160524,sour |ce=cve,cvss3=6.4/CVSS:3.0/A |ce=cve,cvss3=6.4/CVSS:3.0/A |V:N/AC:L/PR:L/UI:N/S:C/C:L/ |V:N/AC:L/PR:L/UI:N/S:C/C:L/ |I:L/A:N,fedora-all/xmlrpc=a |I:L/A:N,fedora-all/xmlrpc=a |ffected,rhel-5/xmlrpc=new,r |ffected,rhel-5/xmlrpc=new,r |hel-6/xmlrpc3=new,rhel-7/xm |hel-6/xmlrpc3=new,rhel-7/xm |lrpc=new,rhev-m-4/xmlrpc=ne |lrpc=new,rhev-m-4/xmlrpc=ne |w,rhev-m-4/xmlrpc-common=ne |w,rhev-m-4/xmlrpc-common=ne |w,rhev-m-3/xmlrpc-common=ne |w,rhev-m-3/xmlrpc-common=ne |w,rhscl-3/rh-java-common-xm |w,rhscl-3/rh-java-common-xm |lrpc=new,rhes-3/xmlrpc-comm |lrpc=new,rhes-3/xmlrpc-comm |on=new,jbds-8/xmlrpc=new,jb |on=wontfix,jbds-8/xmlrpc=ne |ds-10/xmlrpc=new,fuse-6/cam |w,jbds-10/xmlrpc=new,fuse-6 |el-xmlrpc=new |/camel-xmlrpc=new
https://bugzilla.redhat.com/show_bug.cgi?id=1508123
Doran Moppert dmoppert@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=moderate,public=2016 |impact=moderate,public=2016 |0524,reported=20160524,sour |0524,reported=20160524,sour |ce=cve,cvss3=6.4/CVSS:3.0/A |ce=cve,cvss3=6.4/CVSS:3.0/A |V:N/AC:L/PR:L/UI:N/S:C/C:L/ |V:N/AC:L/PR:L/UI:N/S:C/C:L/ |I:L/A:N,fedora-all/xmlrpc=a |I:L/A:N,fedora-all/xmlrpc=a |ffected,rhel-5/xmlrpc=new,r |ffected,rhel-5/xmlrpc=wontf |hel-6/xmlrpc3=new,rhel-7/xm |ix,rhel-6/xmlrpc3=wontfix,r |lrpc=new,rhev-m-4/xmlrpc=ne |hel-7/xmlrpc=affected,rhev- |w,rhev-m-4/xmlrpc-common=ne |m-3/xmlrpc-common=wontfix,r |w,rhev-m-3/xmlrpc-common=ne |hscl-3/rh-java-common-xmlrp |w,rhscl-3/rh-java-common-xm |c=affected,rhes-3/xmlrpc-co |lrpc=new,rhes-3/xmlrpc-comm |mmon=wontfix,jbds-8/xmlrpc= |on=wontfix,jbds-8/xmlrpc=ne |new,jbds-10/xmlrpc=new,fuse |w,jbds-10/xmlrpc=new,fuse-6 |-6/camel-xmlrpc=new |/camel-xmlrpc=new |
https://bugzilla.redhat.com/show_bug.cgi?id=1508123
Doran Moppert dmoppert@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=moderate,public=2016 |impact=moderate,public=2016 |0524,reported=20160524,sour |0524,reported=20160524,sour |ce=cve,cvss3=6.4/CVSS:3.0/A |ce=cve,cvss3=6.4/CVSS:3.0/A |V:N/AC:L/PR:L/UI:N/S:C/C:L/ |V:N/AC:L/PR:L/UI:N/S:C/C:L/ |I:L/A:N,fedora-all/xmlrpc=a |I:L/A:N,fedora-all/xmlrpc=a |ffected,rhel-5/xmlrpc=wontf |ffected,rhel-5/xmlrpc=wontf |ix,rhel-6/xmlrpc3=wontfix,r |ix,rhel-6/xmlrpc3=wontfix,r |hel-7/xmlrpc=affected,rhev- |hel-7/xmlrpc=wontfix,rhev-m |m-3/xmlrpc-common=wontfix,r |-3/xmlrpc-common=wontfix,rh |hscl-3/rh-java-common-xmlrp |scl-3/rh-java-common-xmlrpc |c=affected,rhes-3/xmlrpc-co |=affected,rhes-3/xmlrpc-com |mmon=wontfix,jbds-8/xmlrpc= |mon=wontfix,jbds-8/xmlrpc=n |new,jbds-10/xmlrpc=new,fuse |ew,jbds-10/xmlrpc=new,fuse- |-6/camel-xmlrpc=new |6/camel-xmlrpc=new
https://bugzilla.redhat.com/show_bug.cgi?id=1508123
Chess Hazlett chazlett@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=moderate,public=2016 |impact=moderate,public=2016 |0524,reported=20160524,sour |0524,reported=20160524,sour |ce=cve,cvss3=6.4/CVSS:3.0/A |ce=cve,cvss3=6.4/CVSS:3.0/A |V:N/AC:L/PR:L/UI:N/S:C/C:L/ |V:N/AC:L/PR:L/UI:N/S:C/C:L/ |I:L/A:N,fedora-all/xmlrpc=a |I:L/A:N,fedora-all/xmlrpc=a |ffected,rhel-5/xmlrpc=wontf |ffected,rhel-5/xmlrpc=wontf |ix,rhel-6/xmlrpc3=wontfix,r |ix,rhel-6/xmlrpc3=wontfix,r |hel-7/xmlrpc=wontfix,rhev-m |hel-7/xmlrpc=wontfix,rhev-m |-3/xmlrpc-common=wontfix,rh |-3/xmlrpc-common=wontfix,rh |scl-3/rh-java-common-xmlrpc |scl-3/rh-java-common-xmlrpc |=affected,rhes-3/xmlrpc-com |=affected,rhes-3/xmlrpc-com |mon=wontfix,jbds-8/xmlrpc=n |mon=wontfix,jbds-8/xmlrpc=n |ew,jbds-10/xmlrpc=new,fuse- |otaffected,jbds-10/xmlrpc=n |6/camel-xmlrpc=new |otaffected,fuse-6/camel-xml | |rpc=new
https://bugzilla.redhat.com/show_bug.cgi?id=1508123
Hooman Broujerdi hghasemb@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |hghasemb@redhat.com Whiteboard|impact=moderate,public=2016 |impact=moderate,public=2016 |0524,reported=20160524,sour |0524,reported=20160524,sour |ce=cve,cvss3=6.4/CVSS:3.0/A |ce=cve,cvss3=6.4/CVSS:3.0/A |V:N/AC:L/PR:L/UI:N/S:C/C:L/ |V:N/AC:L/PR:L/UI:N/S:C/C:L/ |I:L/A:N,fedora-all/xmlrpc=a |I:L/A:N,fedora-all/xmlrpc=a |ffected,rhel-5/xmlrpc=wontf |ffected,rhel-5/xmlrpc=wontf |ix,rhel-6/xmlrpc3=wontfix,r |ix,rhel-6/xmlrpc3=wontfix,r |hel-7/xmlrpc=wontfix,rhev-m |hel-7/xmlrpc=wontfix,rhev-m |-3/xmlrpc-common=wontfix,rh |-3/xmlrpc-common=wontfix,rh |scl-3/rh-java-common-xmlrpc |scl-3/rh-java-common-xmlrpc |=affected,rhes-3/xmlrpc-com |=affected,rhes-3/xmlrpc-com |mon=wontfix,jbds-8/xmlrpc=n |mon=wontfix,jbds-8/xmlrpc=n |otaffected,jbds-10/xmlrpc=n |otaffected,jbds-10/xmlrpc=n |otaffected,fuse-6/camel-xml |otaffected,fuse-6/camel=new |rpc=new |,fuse-7/camel=affected,fis- | |2/xmlrpc-common=affected
https://bugzilla.redhat.com/show_bug.cgi?id=1508123
Hooman Broujerdi hghasemb@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=moderate,public=2016 |impact=moderate,public=2016 |0524,reported=20160524,sour |0524,reported=20160524,sour |ce=cve,cvss3=6.4/CVSS:3.0/A |ce=cve,cvss3=6.4/CVSS:3.0/A |V:N/AC:L/PR:L/UI:N/S:C/C:L/ |V:N/AC:L/PR:L/UI:N/S:C/C:L/ |I:L/A:N,fedora-all/xmlrpc=a |I:L/A:N,fedora-all/xmlrpc=a |ffected,rhel-5/xmlrpc=wontf |ffected,rhel-5/xmlrpc=wontf |ix,rhel-6/xmlrpc3=wontfix,r |ix,rhel-6/xmlrpc3=wontfix,r |hel-7/xmlrpc=wontfix,rhev-m |hel-7/xmlrpc=wontfix,rhev-m |-3/xmlrpc-common=wontfix,rh |-3/xmlrpc-common=wontfix,rh |scl-3/rh-java-common-xmlrpc |scl-3/rh-java-common-xmlrpc |=affected,rhes-3/xmlrpc-com |=affected,rhes-3/xmlrpc-com |mon=wontfix,jbds-8/xmlrpc=n |mon=wontfix,jbds-8/xmlrpc=n |otaffected,jbds-10/xmlrpc=n |otaffected,jbds-10/xmlrpc=n |otaffected,fuse-6/camel=new |otaffected,fuse-6/camel=aff |,fuse-7/camel=affected,fis- |ected,fuse-7/camel=affected |2/xmlrpc-common=affected |,fis-2/xmlrpc-common=affect | |ed
https://bugzilla.redhat.com/show_bug.cgi?id=1508123
Riccardo Schirone rschiron@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |dmoppert@redhat.com Flags| |needinfo?(dmoppert@redhat.c | |om)
https://bugzilla.redhat.com/show_bug.cgi?id=1508123
Doran Moppert dmoppert@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(dmoppert@redhat.c | |om) |
https://bugzilla.redhat.com/show_bug.cgi?id=1508123
Riccardo Schirone rschiron@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Priority|medium |high Whiteboard|impact=moderate,public=2016 |impact=important,public=201 |0524,reported=20160524,sour |60524,reported=20160524,sou |ce=cve,cvss3=6.4/CVSS:3.0/A |rce=cve,cvss3=7.5/CVSS:3.0/ |V:N/AC:L/PR:L/UI:N/S:C/C:L/ |AV:N/AC:H/PR:L/UI:N/S:U/C:H |I:L/A:N,fedora-all/xmlrpc=a |/I:H/A:H,cwe=CWE-502,fedora |ffected,rhel-5/xmlrpc=wontf |-all/xmlrpc=affected,rhel-5 |ix,rhel-6/xmlrpc3=wontfix,r |/xmlrpc=wontfix,rhel-6/xmlr |hel-7/xmlrpc=wontfix,rhev-m |pc3=wontfix,rhel-7/xmlrpc=w |-3/xmlrpc-common=wontfix,rh |ontfix,rhev-m-3/xmlrpc-comm |scl-3/rh-java-common-xmlrpc |on=wontfix,rhscl-3/rh-java- |=affected,rhes-3/xmlrpc-com |common-xmlrpc=affected,rhes |mon=wontfix,jbds-8/xmlrpc=n |-3/xmlrpc-common=wontfix,jb |otaffected,jbds-10/xmlrpc=n |ds-8/xmlrpc=notaffected,jbd |otaffected,fuse-6/camel=aff |s-10/xmlrpc=notaffected,fus |ected,fuse-7/camel=affected |e-6/camel=affected,fuse-7/c |,fis-2/xmlrpc-common=affect |amel=affected,fis-2/xmlrpc- |ed |common=affected Severity|medium |high
https://bugzilla.redhat.com/show_bug.cgi?id=1508123
--- Doc Text *updated* by Riccardo Schirone rschiron@redhat.com --- It has been discovered that Apache XML-RPC (ws-xmlrpc) library deserializes untrusted data when enabledForExtensions setting is enabled. A remote attacker could use this vulnerability to execute arbitrary code via a crafted serialized Java object in a ex:serializable element.
https://bugzilla.redhat.com/show_bug.cgi?id=1508123
--- Comment #5 from Riccardo Schirone rschiron@redhat.com --- Mitigation:
Setting enabledForExtensions is false by default, thus ex:serializable elements are not automatically deserialized. If you don't need any of the functionality provided by this setting (https://ws.apache.org/xmlrpc/extensions.html) we suggest you disable it.
https://bugzilla.redhat.com/show_bug.cgi?id=1508123
--- Comment #6 from Riccardo Schirone rschiron@redhat.com --- Mitigation:
Setting enabledForExtensions is false by default, thus ex:serializable elements are not automatically deserialized. However, if you have it enabled and you don't need any of the provided functions (https://ws.apache.org/xmlrpc/extensions.html) we suggest you disable it.
https://bugzilla.redhat.com/show_bug.cgi?id=1508123
Siddharth Sharma sisharma@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=important,public=201 |impact=important,public=201 |60524,reported=20160524,sou |60524,reported=20160524,sou |rce=cve,cvss3=7.5/CVSS:3.0/ |rce=cve,cvss3=7.5/CVSS:3.0/ |AV:N/AC:H/PR:L/UI:N/S:U/C:H |AV:N/AC:H/PR:L/UI:N/S:U/C:H |/I:H/A:H,cwe=CWE-502,fedora |/I:H/A:H,cwe=CWE-502,fedora |-all/xmlrpc=affected,rhel-5 |-all/xmlrpc=affected,rhel-5 |/xmlrpc=wontfix,rhel-6/xmlr |/xmlrpc=wontfix,rhel-6/xmlr |pc3=wontfix,rhel-7/xmlrpc=w |pc3=wontfix,rhel-7/xmlrpc=w |ontfix,rhev-m-3/xmlrpc-comm |ontfix,rhev-m-3/xmlrpc-comm |on=wontfix,rhscl-3/rh-java- |on=wontfix,rhscl-3/rh-java- |common-xmlrpc=affected,rhes |common-xmlrpc=affected,rhes |-3/xmlrpc-common=wontfix,jb |-3/xmlrpc-common=wontfix/im |ds-8/xmlrpc=notaffected,jbd |pact=low,jbds-8/xmlrpc=nota |s-10/xmlrpc=notaffected,fus |ffected,jbds-10/xmlrpc=nota |e-6/camel=affected,fuse-7/c |ffected,fuse-6/camel=affect |amel=affected,fis-2/xmlrpc- |ed,fuse-7/camel=affected,fi |common=affected |s-2/xmlrpc-common=affected
https://bugzilla.redhat.com/show_bug.cgi?id=1508123
--- Doc Text *updated* by Eric Christensen sparks@redhat.com --- A flaw was discovered in the Apache XML-RPC (ws-xmlrpc) library that deserializes untrusted data when enabledForExtensions setting is enabled. A remote attacker could use this vulnerability to execute arbitrary code via a crafted serialized Java object in a ex:serializable element.
https://bugzilla.redhat.com/show_bug.cgi?id=1508123
Riccardo Schirone rschiron@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=important,public=201 |impact=important,public=201 |60524,reported=20160524,sou |60524,reported=20160524,sou |rce=cve,cvss3=7.5/CVSS:3.0/ |rce=cve,cvss3=7.5/CVSS:3.0/ |AV:N/AC:H/PR:L/UI:N/S:U/C:H |AV:N/AC:H/PR:L/UI:N/S:U/C:H |/I:H/A:H,cwe=CWE-502,fedora |/I:H/A:H,cwe=CWE-502,fedora |-all/xmlrpc=affected,rhel-5 |-all/xmlrpc=affected,rhel-5 |/xmlrpc=wontfix,rhel-6/xmlr |/xmlrpc=wontfix,rhel-6/xmlr |pc3=wontfix,rhel-7/xmlrpc=w |pc3=affected,rhel-7/xmlrpc= |ontfix,rhev-m-3/xmlrpc-comm |affected,rhev-m-3/xmlrpc-co |on=wontfix,rhscl-3/rh-java- |mmon=wontfix,rhscl-3/rh-jav |common-xmlrpc=affected,rhes |a-common-xmlrpc=affected,rh |-3/xmlrpc-common=wontfix/im |es-3/xmlrpc-common=wontfix/ |pact=low,jbds-8/xmlrpc=nota |impact=low,jbds-8/xmlrpc=no |ffected,jbds-10/xmlrpc=nota |taffected,jbds-10/xmlrpc=no |ffected,fuse-6/camel=affect |taffected,fuse-6/camel=affe |ed,fuse-7/camel=affected,fi |cted,fuse-7/camel=affected, |s-2/xmlrpc-common=affected |fis-2/xmlrpc-common=affecte | |d
https://bugzilla.redhat.com/show_bug.cgi?id=1508123
Riccardo Schirone rschiron@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1578878, 1578876, 1578875, | |1578874, 1578877, 1578873
https://bugzilla.redhat.com/show_bug.cgi?id=1508123
--- Comment #8 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat Enterprise Linux 6
Via RHSA-2018:1779 https://access.redhat.com/errata/RHSA-2018:1779
https://bugzilla.redhat.com/show_bug.cgi?id=1508123
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- External Bug ID| |Red Hat Product Errata | |RHSA-2018:1779
https://bugzilla.redhat.com/show_bug.cgi?id=1508123
--- Comment #9 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat Enterprise Linux 7
Via RHSA-2018:1780 https://access.redhat.com/errata/RHSA-2018:1780
https://bugzilla.redhat.com/show_bug.cgi?id=1508123
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- External Bug ID| |Red Hat Product Errata | |RHSA-2018:1780
https://bugzilla.redhat.com/show_bug.cgi?id=1508123 Bug 1508123 depends on bug 1508124, which changed state.
Bug 1508124 Summary: CVE-2016-5003 xmlrpc: Deserialization of untrusted Java object through ex:serializable tag [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1508124
What |Removed |Added ---------------------------------------------------------------------------- Status|ON_QA |CLOSED Resolution|--- |ERRATA
https://bugzilla.redhat.com/show_bug.cgi?id=1508123
--- Comment #10 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS
Via RHSA-2018:1784 https://access.redhat.com/errata/RHSA-2018:1784
https://bugzilla.redhat.com/show_bug.cgi?id=1508123
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- External Bug ID| |Red Hat Product Errata | |RHSA-2018:1784
https://bugzilla.redhat.com/show_bug.cgi?id=1508123
Yasuhiro Ozone yozone@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |yozone@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1508123
Doran Moppert dmoppert@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=important,public=201 |impact=important,public=201 |60524,reported=20160524,sou |60524,reported=20160524,sou |rce=cve,cvss3=7.5/CVSS:3.0/ |rce=cve,cvss3=7.5/CVSS:3.0/ |AV:N/AC:H/PR:L/UI:N/S:U/C:H |AV:N/AC:H/PR:L/UI:N/S:U/C:H |/I:H/A:H,cwe=CWE-502,fedora |/I:H/A:H,cwe=CWE-502,fedora |-all/xmlrpc=affected,rhel-5 |-all/xmlrpc=affected,rhel-5 |/xmlrpc=wontfix,rhel-6/xmlr |/xmlrpc=wontfix,rhel-6/xmlr |pc3=affected,rhel-7/xmlrpc= |pc3=affected,rhel-7/xmlrpc= |affected,rhev-m-3/xmlrpc-co |affected,rhev-m-3/xmlrpc=wo |mmon=wontfix,rhscl-3/rh-jav |ntfix/impact=moderate,rhscl |a-common-xmlrpc=affected,rh |-3/rh-java-common-xmlrpc=af |es-3/xmlrpc-common=wontfix/ |fected,rhes-3/xmlrpc-common |impact=low,jbds-8/xmlrpc=no |=wontfix/impact=low,jbds-8/ |taffected,jbds-10/xmlrpc=no |xmlrpc=notaffected,jbds-10/ |taffected,fuse-6/camel=affe |xmlrpc=notaffected,fuse-6/c |cted,fuse-7/camel=affected, |amel=affected,fuse-7/camel= |fis-2/xmlrpc-common=affecte |affected,fis-2/xmlrpc-commo |d |n=affected,rhev-m-4/xmlrpc= | |affected/impact=moderate
--- Comment #11 from Doran Moppert dmoppert@redhat.com --- This vulnerability can also affect xmlrpc clients, if they may be used against untrusted servers.
https://bugzilla.redhat.com/show_bug.cgi?id=1508123
Doran Moppert dmoppert@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1594618
https://bugzilla.redhat.com/show_bug.cgi?id=1508123
--- Comment #13 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat Virtualization 4 for Red Hat Enterprise Linux 7
Via RHSA-2018:2317 https://access.redhat.com/errata/RHSA-2018:2317
https://bugzilla.redhat.com/show_bug.cgi?id=1508123
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- External Bug ID| |Red Hat Product Errata | |RHSA-2018:2317
https://bugzilla.redhat.com/show_bug.cgi?id=1508123
--- Comment #14 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat Fuse 7.2
Via RHSA-2018:3768 https://access.redhat.com/errata/RHSA-2018:3768
https://bugzilla.redhat.com/show_bug.cgi?id=1508123
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- External Bug ID| |Red Hat Product Errata | |RHSA-2018:3768
java-sig-commits@lists.fedoraproject.org
-
bugzilla@redhat.com