{
  "threat_severity" : "Important",
  "public_date" : "2020-01-16T00:00:00Z",
  "bugzilla" : {
    "description" : "xmlrpc: Deserialization of server-side exception from faultCause in XMLRPC error response",
    "id" : "1775193",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1775193"
  },
  "cvss3" : {
    "cvss3_base_score" : "9.8",
    "cvss3_scoring_vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-502",
  "details" : [ "An untrusted deserialization was found in the org.apache.xmlrpc.parser.XmlRpcResponseParser:addResult method of Apache XML-RPC (aka ws-xmlrpc) library. A malicious XML-RPC server could target a XML-RPC client causing it to execute arbitrary code. Apache XML-RPC is no longer maintained and this issue will not be fixed.", "A flaw was discovered where the XMLRPC client implementation in Apache XMLRPC, performed deserialization of the server-side exception serialized in the faultCause attribute of XMLRPC error response messages. A malicious or compromised XMLRPC server could possibly use this flaw to execute arbitrary code with the privileges of an application using the Apache XMLRPC client library." ],
  "statement" : "Red Hat Enterprise Linux 7 provides vulnerable version of xmlrpc via the Optional repository.  As the Optional repository is not supported, this issue is not planned to be addressed there.\nRed Hat Virtualization Manager uses xmlrpc only for internal communication with the scheduler.  Since this is a component of the Manager itself, it is not subject to attacker influence and does not represent an attack surface.",
  "acknowledgement" : "Red Hat would like to thank Guillaume Teissier (Orange) for reporting this issue.",
  "affected_release" : [ {
    "product_name" : "Red Hat Fuse 7.6.0",
    "release_date" : "2020-03-26T00:00:00Z",
    "advisory" : "RHSA-2020:0983",
    "cpe" : "cpe:/a:redhat:jboss_fuse:7",
    "package" : "camel-xmlrpc"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 6",
    "release_date" : "2020-01-30T00:00:00Z",
    "advisory" : "RHSA-2020:0310",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el6",
    "package" : "rh-java-common-xmlrpc-1:3.1.3-8.17.el6"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7",
    "release_date" : "2020-01-30T00:00:00Z",
    "advisory" : "RHSA-2020:0310",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7",
    "package" : "rh-java-common-xmlrpc-1:3.1.3-8.17.el7"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS",
    "release_date" : "2020-01-30T00:00:00Z",
    "advisory" : "RHSA-2020:0310",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7",
    "package" : "rh-java-common-xmlrpc-1:3.1.3-8.17.el7"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS",
    "release_date" : "2020-01-30T00:00:00Z",
    "advisory" : "RHSA-2020:0310",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7",
    "package" : "rh-java-common-xmlrpc-1:3.1.3-8.17.el7"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS",
    "release_date" : "2020-01-30T00:00:00Z",
    "advisory" : "RHSA-2020:0310",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7",
    "package" : "rh-java-common-xmlrpc-1:3.1.3-8.17.el7"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 5",
    "fix_state" : "Not affected",
    "package_name" : "xmlrpc",
    "cpe" : "cpe:/o:redhat:enterprise_linux:5"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "xmlrpc3",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Will not fix",
    "package_name" : "xmlrpc",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Fuse 7",
    "fix_state" : "Not affected",
    "package_name" : "camel-xmlrpc",
    "cpe" : "cpe:/a:redhat:jboss_fuse:7"
  }, {
    "product_name" : "Red Hat JBoss Fuse 6",
    "fix_state" : "Affected",
    "package_name" : "camel-xmlrpc",
    "cpe" : "cpe:/a:redhat:jboss_fuse:6"
  }, {
    "product_name" : "Red Hat Storage 3",
    "fix_state" : "Out of support scope",
    "package_name" : "xmprpc-common",
    "cpe" : "cpe:/a:redhat:storage:3"
  }, {
    "product_name" : "Red Hat Virtualization 4",
    "fix_state" : "Will not fix",
    "package_name" : "xmlrpc-common",
    "cpe" : "cpe:/o:redhat:rhev_hypervisor:4",
    "impact" : "low"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2019-17570\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-17570\nhttps://github.com/orangecertcc/security-research/security/advisories/GHSA-x2r6-4m45-m4jp" ],
  "name" : "CVE-2019-17570",
  "mitigation" : {
    "value" : "There is no known mitigation other than restricting applications using the Apache XMLRPC client library from sending requests to untrusted XMLRPC servers.",
    "lang" : "en:us"
  },
  "csaw" : false
}