ALAS2-2018-1041

Amazon Linux 2 Security Advisory: ALAS-2018-1041
Advisory Release Date: 2018-06-20 19:55 Pacific
Advisory Updated Date: 2018-07-24 21:13 Pacific

Severity: Important

References: CVE-2016-5003
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

A flaw was discovered in the Apache XML-RPC (ws-xmlrpc) library that deserializes untrusted data when enabledForExtensions setting is enabled. A remote attacker could use this vulnerability to execute arbitrary code via a crafted serialized Java object in a <ex:serializable> element.(CVE-2016-5003)

Affected Packages:

xmlrpc

Note:

This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.

Issue Correction:
Run yum update xmlrpc to update your system.

New Packages:

noarch:
    xmlrpc-javadoc-3.1.3-9.amzn2.noarch
    xmlrpc-common-3.1.3-9.amzn2.noarch
    xmlrpc-client-3.1.3-9.amzn2.noarch
    xmlrpc-server-3.1.3-9.amzn2.noarch

src:
    xmlrpc-3.1.3-9.amzn2.src

Additional References

Red Hat: CVE-2016-5003

Mitre: CVE-2016-5003