Bug 23105 - xmlrpc new security issues CVE-2016-500[23]
Summary: xmlrpc new security issues CVE-2016-500[23]
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-32-OK MGA6-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2018-06-01 14:35 CEST by David Walser
Modified: 2019-01-05 19:31 CET (History)
4 users (show)

See Also:
Source RPM: xmlrpc-3.1.3-70.mga6.src.rpm
CVE:
Status comment: Patches available from Fedora


Attachments

Description David Walser 2018-06-01 14:35:03 CEST
RedHat has issued an advisory on May 31:
https://access.redhat.com/errata/RHSA-2018:1780

Mageia 5 and Mageia 6 are also affected.
David Walser 2018-06-01 14:35:10 CEST

Whiteboard: (none) => MGA6TOO

Comment 1 David Walser 2018-06-07 22:33:24 CEST
Fedora has issued an advisory for this on June 2:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/5AEMJ2ZNFZVGVMACAZMQQCBOFBVUTNZA/

There was also another CVE.

Summary: xmlrpc new security issue CVE-2016-5003 => xmlrpc new security issues CVE-2016-500[23]
Status comment: (none) => Patches available from Fedora

Comment 2 David Walser 2019-01-01 04:52:42 CET
Fixed in xmlrpc-3.1.3-73.mga7 in Cauldron.

Whiteboard: MGA6TOO => (none)
Version: Cauldron => 6

Comment 3 David Walser 2019-01-01 21:09:08 CET
Advisory:
========================

Updated xmlrpc packages fix security vulnerabilities:

XML external entity (XXE) vulnerability in the Apache XML-RPC (aka ws-xmlrpc)
library 3.1.3, as used in Apache Archiva, allows remote attackers to conduct
server-side request forgery (SSRF) attacks via a crafted DTD (CVE-2016-5002).

A flaw was discovered in the Apache XML-RPC (ws-xmlrpc) library that
deserializes untrusted data when enabledForExtensions setting is enabled. A
remote attacker could use this vulnerability to execute arbitrary code via a
crafted serialized Java object in a <ex:serializable> element (CVE-2016-5003).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5002
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5003
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/5AEMJ2ZNFZVGVMACAZMQQCBOFBVUTNZA/
========================

Updated packages in core/updates_testing:
========================
xmlrpc-javadoc-3.1.3-70.1.mga6
xmlrpc-common-3.1.3-70.1.mga6
xmlrpc-client-3.1.3-70.1.mga6
xmlrpc-server-3.1.3-70.1.mga6

from xmlrpc-3.1.3-70.1.mga6.src.rpm

Assignee: java => qa-bugs

Comment 4 Len Lawrence 2019-01-02 13:02:34 CET
Could not find anything useful for QA testing in the CVE links.
Have no idea how to start the|a client or server or what ws-xmlrpc means.
Handing this one over to whomsoever.

$ locate xmlrpc-client
/usr/share/java/xmlrpc-client.jar
/usr/share/maven-metadata/xmlrpc-xmlrpc-client.xml
/usr/share/maven-poms/xmlrpc-client.pom

$ locate xmlrpc | grep jar
/usr/share/java/xmlrpc-client.jar
/usr/share/java/xmlrpc-common.jar
/usr/share/java/xmlrpc-server.jar
/usr/share/java/pycharm-community/lib/xmlrpc-2.0.1.jar

# java -jar /usr/share/java/xmlrpc-client.jar
no main manifest attribute, in /usr/share/java/xmlrpc-client.jar

CC: (none) => tarazed25

Comment 5 David Walser 2019-01-02 13:18:27 CET
Just a clean update will do.
Comment 6 Herman Viaene 2019-01-04 15:03:05 CET
MGA6-32 MATE on IBM Thinkpad R50e
No installation issues, so according Comment 5, it's OK.
Just for the curious, I found a "simple" example at https://www.tutorialspoint.com/xml-rpc/xml_rpc_examples.htm
but that over my head, someone else more educated in java might find it interesting enough.

Whiteboard: (none) => MGA6-32-OK
CC: (none) => herman.viaene

Comment 7 Lewis Smith 2019-01-04 21:48:33 CET
(In reply to David Walser from comment #5)
> Just a clean update will do.
On M6/6 did just that; unsure exactly what Len & Herman had done.

BEFORE update, installed:
 xmlrpc-server-3.1.3-70.mga6
 xmlrpc-client-3.1.3-70.mga6
 xmlrpc-javadoc-3.1.3-70.mga6
 xmlrpc-common-3.1.3-70.mga6

The UPDATE was seamless:
 xmlrpc-server-3.1.3-70.1.mga6
 xmlrpc-client-3.1.3-70.1.mga6
 xmlrpc-javadoc-3.1.3-70.1.mga6
 xmlrpc-common-3.1.3-70.1.mga6

Validating; advisory from comment 3.

Whiteboard: MGA6-32-OK => MGA6-32-OK MGA6-64-OK
Keywords: (none) => advisory, validated_update
CC: (none) => lewyssmith, sysadmin-bugs

Comment 8 Mageia Robot 2019-01-05 19:31:36 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0002.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.