SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Apache Archiva Vendors:   Apache Software Foundation
Apache Archiva Bugs in XML-RPC Library Let Remote Users Conduct Server-Side Request Forgery Attacks, Deny Service, and Potentially Execute Arbitrary Code
SecurityTracker Alert ID:  1036294
SecurityTracker URL:  http://securitytracker.com/id/1036294
CVE Reference:   CVE-2016-5002, CVE-2016-5003, CVE-2016-5004   (Links to External Site)
Date:  Jul 13 2016
Impact:   Denial of service via network, Execution of arbitrary code via network, Host/resource access via network, Modification of user information, User access via network
Vendor Confirmed:  Yes  

Description:   Several vulnerabilities were reported in Apache Archiva. A remote user can conduct server-side request forgery attacks. A remote user can cause the target service to crash. A remote user may be able to execute arbitrary code on the target system.

A remote user can submit a specially crafted XML DTD that, when processed by the target library, will cause the target server to connect to arbitrary ports on arbitrary hosts on the target network [CVE-2016-5002].

A remote user can send specially crafted data to deserialize data to potentially execute arbitrary code on the target system [CVE-2016-5003].

A remote user can send a specially crafted Content-Encoding header to consume excessive resources and cause denial of service conditions on the target application server [CVE-2016-5004].

The vulnerabilities reside in the ws-xmlrpc library component.

Demonstration exploit code is available at:

https://github.com/0ang3el/unsafe-xmlrpc

The original advisory is available at:

https://0ang3el.blogspot.ru/2016/07/beware-of-ws-xmlrpc-library-in-your.html

0ang3el reported this vulnerability.

Impact:   A remote user can cause the target server to connect to arbitrary ports on arbitrary hosts on the target network.

A remote user can consume excessive resources and cause denial of service conditions on the target application server.

A remote user can execute arbitrary code on the target system.

Solution:   No solution was available at the time of this entry.
Vendor URL:  archiva.apache.org/ (Links to External Site)
Cause:   Resource error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Aug 6 2018 (Red Hat Issues Fix for Red Hat Enterprise Virtualization) Apache Archiva Bugs in XML-RPC Library Let Remote Users Conduct Server-Side Request Forgery Attacks, Deny Service, and Potentially Execute Arbitrary Code
Red Hat has issued a fix for Red Hat Enterprise Virtualization for Red Hat Enterprise Linux.



 Source Message Contents

Subject:  [oss-security] Vulnerabilities in Apache Archiva

--94eb2c0d1b2a8fddc805376f94d5
Content-Type: text/plain; charset=UTF-8

Hello!

I have recently found three vulnerabilities in ws-xmlrpc library -
https://ws.apache.org/xmlrpc/. Apache Security Team have assigned three CVE
numbers for Apache Archiva project as it uses ws-xmlrpc library.

Here is the list of vulnerabilities with CVE numbers:

   - CVE-2016-5002 - SSRF attack via loading external DTD in ws-xmlrpc.
   - CVE-2016-5003 - Deserialization of untrusted data via serializable
   data type in ws-xmlrpc.
   - CVE-2016-5004 - DoS attack via Content-Encoding header in ws-xmlrpc.

Technical details regarding vulnerabilities are in this post -
https://0ang3el.blogspot.ru/2016/07/beware-of-ws-xmlrpc-library-in-your.html
.

Regards, 0ang3el.

--94eb2c0d1b2a8fddc805376f94d5--
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC