CVE-2019-17570 – CVE-2019-17570 is an untrusted deserialization ... (How to Fix)

Q: What is the severity of CVE-2019-17570?

CVE-2019-17570 has a CVSS score of 9.8 (CRITICAL). CVE-2019-17570 is an untrusted deserialization vulnerability in Apache XML-RPC library that allows remote code execution. A malicious XML-RPC server can send specially crafted responses to XML-RPC clients, causing them to execute arbitrary code. This affects any application using the vulnerable Apache XML-RPC library to communicate with XML-RPC servers.

📋 TL;DR

CVE-2019-17570 is an untrusted deserialization vulnerability in Apache XML-RPC library that allows remote code execution. A malicious XML-RPC server can send specially crafted responses to XML-RPC clients, causing them to execute arbitrary code. This affects any application using the vulnerable Apache XML-RPC library to communicate with XML-RPC servers.

💻 Affected Systems

Products:

Apache XML-RPC (ws-xmlrpc)

Versions: All versions prior to end-of-life (library is no longer maintained)

Operating Systems: All operating systems running Java applications using Apache XML-RPC

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects XML-RPC clients using the vulnerable library to communicate with XML-RPC servers. The library is end-of-life and no longer maintained by Apache.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with attacker gaining full control over the vulnerable system, data exfiltration, and lateral movement within the network.

🟠

Likely Case

Remote code execution leading to data theft, system manipulation, or deployment of malware/ransomware.

🟢

If Mitigated

Limited impact if proper network segmentation, egress filtering, and least privilege principles are implemented.

🌐 Internet-Facing: HIGH - XML-RPC clients communicating with external servers are directly exposed to malicious responses.

🏢 Internal Only: MEDIUM - Internal XML-RPC communications could be exploited if internal systems are compromised.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires the vulnerable client to connect to a malicious XML-RPC server. The vulnerability is in the client-side parsing of server responses.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: None - library is end-of-life

Vendor Advisory: https://lists.apache.org/thread.html/846551673bbb7ec8d691008215384bcef03a3fb004d2da845cfe88ee@1390230951@<dev.ws.apache.org>

Restart Required: Yes

Instructions:

1. Migrate to alternative XML-RPC libraries or modern alternatives like REST APIs. 2. Remove Apache XML-RPC from all applications. 3. Rebuild and redeploy applications with replacement libraries.

🔧 Temporary Workarounds

Network Filtering

all

Implement egress filtering to restrict XML-RPC clients to trusted servers only

Input Validation

all

Implement custom XML parsing with strict validation before passing to XML-RPC library

🧯 If You Can't Patch

Isolate vulnerable systems in segmented network zones with strict egress filtering
Implement application allowlisting and runtime protection to detect exploitation attempts

🔍 How to Verify

Check if Vulnerable:

Check application dependencies for org.apache.xmlrpc:xmlrpc-client or similar Apache XML-RPC artifacts. Use: mvn dependency:tree (Maven) or gradle dependencies (Gradle) to identify usage.

Check Version:

Check pom.xml, build.gradle, or dependency manifest files for Apache XML-RPC references.

Verify Fix Applied:

Verify Apache XML-RPC library is completely removed from application dependencies and replaced with alternative libraries.

📡 Detection & Monitoring

Log Indicators:

Unusual process execution from XML-RPC client applications
Java deserialization errors in application logs
Outbound connections to unknown XML-RPC servers

Network Indicators:

XML-RPC traffic to untrusted external servers
Unusual outbound connections from XML-RPC clients

SIEM Query:

source="application_logs" AND ("XmlRpcResponseParser" OR "deserialization error" OR "java.lang.ClassNotFoundException")

📊 Metadata

CVE ID: CVE-2019-17570

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-502

Published: January 23, 2020

Last Updated: November 21, 2024

🔗 References

http://www.openwall.com/lists/oss-security/2020/01/24/2 Mailing List,Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0310 Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-17570%3B
https://github.com/orangecertcc/security-research/security/advisories/GHSA-x2r6-4m45-m4jp Exploit,Third Party Advisory
https://lists.apache.org/thread.html/846551673bbb7ec8d691008215384bcef03a3fb004d2da845cfe88ee%401390230951%40%3Cdev.ws.apache.org%3E Mailing List,Vendor Advisory
https://lists.debian.org/debian-lts-announce/2020/01/msg00033.html Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I3QCRLJYQRGVTIYF4BXYRFSF3ONP3TBF/
https://seclists.org/bugtraq/2020/Feb/8 Mailing List,Third Party Advisory
https://security.gentoo.org/glsa/202401-26
https://usn.ubuntu.com/4496-1/ Patch,Third Party Advisory
https://www.debian.org/security/2020/dsa-4619 Third Party Advisory
http://www.openwall.com/lists/oss-security/2020/01/24/2 Mailing List,Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0310 Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-17570%3B
https://github.com/orangecertcc/security-research/security/advisories/GHSA-x2r6-4m45-m4jp Exploit,Third Party Advisory
https://lists.apache.org/thread.html/846551673bbb7ec8d691008215384bcef03a3fb004d2da845cfe88ee%401390230951%40%3Cdev.ws.apache.org%3E Mailing List,Vendor Advisory
https://lists.debian.org/debian-lts-announce/2020/01/msg00033.html Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I3QCRLJYQRGVTIYF4BXYRFSF3ONP3TBF/
https://seclists.org/bugtraq/2020/Feb/8 Mailing List,Third Party Advisory
https://security.gentoo.org/glsa/202401-26
https://usn.ubuntu.com/4496-1/ Patch,Third Party Advisory
https://www.debian.org/security/2020/dsa-4619 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-17570, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Debian Linux by Debian

Debian Linux by Debian

Debian Linux by Debian

Fedora by Fedoraproject

Fedora by Fedoraproject

Software Collections by Redhat

Ubuntu Linux by Canonical

Ubuntu Linux by Canonical

Xml Rpc by Apache

Xml Rpc by Apache

Xml Rpc by Apache

Xml Rpc by Apache

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Network Filtering

Input Validation

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities