CVE-2019-17570 Apache XML-RPC Vulnerability Analysis Report

Apache XML-RPC

1. Overview

1.1 Purpose of the Report

This report analyzes the cause and resolution of the CVE-2019-17570 vulnerability in Apache XML-RPC and provides a practical guide for secure implementation in real-world projects.

1.2 Background

Many existing security guides and tools simply report “no patch available” when there is no official fix, without providing developers with concrete remediation steps. This report aims to close that gap by offering actionable security advice from the security team to development teams.

1.3 Introduction to Apache XML-RPC

Apache XML-RPC is a Java-based library that implements XML-RPC, no longer officially maintained by Apache.

1.4 Summary of CVE-2019-17570

The vulnerability allows Remote Code Execution (RCE) by deserializing untrusted server responses on the client side.

Official advisory: GitHub Advisory

2. Detailed Vulnerability Analysis

2.1 Overview and Impact

CWE-502: Deserialization of Untrusted Data
An attacker can exploit a malicious XML-RPC server to execute arbitrary code on the client.

2.2 Root Cause

Object exception = map.get("faultCause");
ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream((byte[]) exception));
errorCause = (Throwable) ois.readObject(); // Vulnerable code

2.3 Attack Scenario (PoC)

A crafted faultCause object sent by a malicious server is deserialized by the client, resulting in code execution.

3. Patch Analysis

3.1 Key Enhancements

Introduced isEnabledForExceptions flag to conditionally allow deserialization
Disabled external DTD loading in SAXParser for added XML security

3.2 Code Comparison Before and After Patch

After Patch:

if (((XmlRpcStreamRequestConfig) cfg).isEnabledForExceptions()) {
    Object exception = map.get("faultCause");
    ...
}

Disable DTD Loading:

spf.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);

3.3 Manual Patch Examples

4. Distribution-Specific Patch Status and Maven Considerations

4.1 Patched Distributions

Debian, Red Hat, Amazon Linux: security patches are applied and managed independently

4.2 Limitations of Maven Central

No patched version available beyond official 3.1.3; users should use distribution packages or forked versions

4.3 Recommended Dependency

<dependency>
  <groupId>com.evolvedbinary.thirdparty.org.apache.xmlrpc</groupId>
  <artifactId>xmlrpc-client</artifactId>
  <version>4.0.0</version>
</dependency>

5. Secure Implementation Example

XmlRpcClientConfigImpl config = new XmlRpcClientConfigImpl();
config.setServerURL(new URL("http://trusted-server.com/RPC2"));
config.setEnabledForExceptions(false); // Disable deserialization

// Disable external DTD loading
SAXParserFactory spf = SAXParserFactory.newInstance();
spf.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
SAXParsers.setSAXParserFactory(spf);

6. Conclusion and Recommendations

Use distribution-specific patched versions
Consider using the evolvedbinary fork
Migrate to gRPC, JAX-WS, or SOAP for long-term robustness

This report provides actionable insights and implementation tips to mitigate CVE-2019-17570 in production environments.

1. Overview#

1.1 Purpose of the Report#

1.2 Background#

1.3 Introduction to Apache XML-RPC#

1.4 Summary of CVE-2019-17570#

2. Detailed Vulnerability Analysis#

2.1 Overview and Impact#

2.2 Root Cause#

2.3 Attack Scenario (PoC)#

3. Patch Analysis#

3.1 Key Enhancements#

3.2 Code Comparison Before and After Patch#

3.3 Manual Patch Examples#

4. Distribution-Specific Patch Status and Maven Considerations#

4.1 Patched Distributions#

4.2 Limitations of Maven Central#

4.3 Recommended Dependency#

5. Secure Implementation Example#

6. Conclusion and Recommendations#