Public Date:
1508123: CVE-2016-5003 xmlrpc: Deserialization of untrusted Java object through tag
A flaw was discovered in the Apache XML-RPC (ws-xmlrpc) library that deserializes untrusted data when enabledForExtensions setting is enabled. A remote attacker could use this vulnerability to execute arbitrary code via a crafted serialized Java object in a <ex:serializable> element.

Find out more about CVE-2016-5003 from the MITRE CVE dictionary dictionary and NIST NVD.

CVSS v3 metrics

CVSS3 Base Score 7.5
CVSS3 Base Metrics CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector Network
Attack Complexity High
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality High
Integrity Impact High
Availability Impact High

Red Hat Security Errata

Platform Errata Release Date
Red Hat Software Collections for Red Hat Enterprise Linux 6 (rh-java-common-xmlrpc) RHSA-2018:1784 2018-06-04
Red Hat JBoss Fuse 7 RHSA-2018:3768 2018-12-04
Red Hat Enterprise Linux 6 (xmlrpc3) RHSA-2018:1779 2018-05-31
Red Hat Virtualization 4 Management Agent for RHEL 7 Hosts (xmlrpc) RHSA-2018:2317 2018-07-31
Red Hat Software Collections for Red Hat Enterprise Linux 7 (rh-java-common-xmlrpc) RHSA-2018:1784 2018-06-04
Red Hat Enterprise Linux 7 (xmlrpc) RHSA-2018:1780 2018-05-31

Affected Packages State

Platform Package State
Red Hat JBoss Fuse 6 camel Affected
Red Hat Gluster Storage 3 xmlrpc-common Will not fix
Red Hat Enterprise Linux 5 xmlrpc Will not fix
RHEV Manager 3 xmlrpc Will not fix


Setting enabledForExtensions is false by default, thus <ex:serializable> elements are not automatically deserialized. However, if you have it enabled and you don't need any of the provided functions ( we suggest you disable it.

Last Modified