{"containers": {"cna": {"affected": [{"product": "Apache jUDDI", "vendor": "Apache Software Foundation", "versions": [{"lessThan": "3.3.10", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Reported by Artem Smotrakov"}], "descriptions": [{"lang": "en", "value": "Apache jUDDI uses several classes related to Java's Remote Method Invocation (RMI) which (as an extension to UDDI) provides an alternate transport for accessing UDDI services. RMI uses the default Java serialization mechanism to pass parameters in RMI invocations. A remote attacker can send a malicious serialized object to the above RMI entries. The objects get deserialized without any check on the incoming data. In the worst case, it may let the attacker run arbitrary code remotely. For both jUDDI web service applications and jUDDI clients, the usage of RMI is disabled by default. Since this is an optional feature and an extension to the UDDI protocol, the likelihood of impact is low. Starting with 3.3.10, all RMI related code was removed."}], "metrics": [{"other": {"content": {"other": "moderate"}, "type": "unknown"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "description": "CWE-502 Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-07-29T14:06:11", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://lists.apache.org/thread.html/r82047b3ba774cf870ea8e1e9ec51c6107f6cd056d4e36608148c6e71%40%3Cprivate.juddi.apache.org%3E"}, {"name": "[oss-security] 20210728 [SECURITY] CVE-2021-37578 Apache jUDDI Remote code execution", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2021/07/29/1"}], "source": {"defect": ["JUDDI-1018"], "discovery": "UNKNOWN"}, "title": "Remote code execution via RMI", "workarounds": [{"lang": "en", "value": "For the jUDDI service web application, RMI and JNDI service registration is disabled by default. If it was enabled by the system owner, disable it.\n\nFor jUDDI Clients, do not use RMI Transports. This is an opt-in feature and is not typically used."}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@apache.org", "ID": "CVE-2021-37578", "STATE": "PUBLIC", "TITLE": "Remote code execution via RMI"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Apache jUDDI", "version": {"version_data": [{"version_affected": "<", "version_value": "3.3.10"}]}}]}, "vendor_name": "Apache Software Foundation"}]}}, "credit": [{"lang": "eng", "value": "Reported by Artem Smotrakov"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Apache jUDDI uses several classes related to Java's Remote Method Invocation (RMI) which (as an extension to UDDI) provides an alternate transport for accessing UDDI services. RMI uses the default Java serialization mechanism to pass parameters in RMI invocations. A remote attacker can send a malicious serialized object to the above RMI entries. The objects get deserialized without any check on the incoming data. In the worst case, it may let the attacker run arbitrary code remotely. For both jUDDI web service applications and jUDDI clients, the usage of RMI is disabled by default. Since this is an optional feature and an extension to the UDDI protocol, the likelihood of impact is low. Starting with 3.3.10, all RMI related code was removed."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": [{"other": "moderate"}], "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-502 Deserialization of Untrusted Data"}]}]}, "references": {"reference_data": [{"name": "https://lists.apache.org/thread.html/r82047b3ba774cf870ea8e1e9ec51c6107f6cd056d4e36608148c6e71%40%3Cprivate.juddi.apache.org%3E", "refsource": "MISC", "url": "https://lists.apache.org/thread.html/r82047b3ba774cf870ea8e1e9ec51c6107f6cd056d4e36608148c6e71%40%3Cprivate.juddi.apache.org%3E"}, {"name": "[oss-security] 20210728 [SECURITY] CVE-2021-37578 Apache jUDDI Remote code execution", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2021/07/29/1"}]}, "source": {"defect": ["JUDDI-1018"], "discovery": "UNKNOWN"}, "work_around": [{"lang": "en", "value": "For the jUDDI service web application, RMI and JNDI service registration is disabled by default. If it was enabled by the system owner, disable it.\n\nFor jUDDI Clients, do not use RMI Transports. This is an opt-in feature and is not typically used."}]}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T01:23:01.344Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://lists.apache.org/thread.html/r82047b3ba774cf870ea8e1e9ec51c6107f6cd056d4e36608148c6e71%40%3Cprivate.juddi.apache.org%3E"}, {"name": "[oss-security] 20210728 [SECURITY] CVE-2021-37578 Apache jUDDI Remote code execution", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2021/07/29/1"}]}]}, "cveMetadata": {"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2021-37578", "datePublished": "2021-07-29T07:05:10", "dateReserved": "2021-07-27T00:00:00", "dateUpdated": "2024-08-04T01:23:01.344Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:juddi:*:*:*:*:*:*:*:*", "matchCriteriaId": "4C7936C1-5F3F-4399-8076-12D4E2E21D15", "versionEndExcluding": "3.3.10", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Apache jUDDI uses several classes related to Java's Remote Method Invocation (RMI) which (as an extension to UDDI) provides an alternate transport for accessing UDDI services. RMI uses the default Java serialization mechanism to pass parameters in RMI invocations. A remote attacker can send a malicious serialized object to the above RMI entries. The objects get deserialized without any check on the incoming data. In the worst case, it may let the attacker run arbitrary code remotely. For both jUDDI web service applications and jUDDI clients, the usage of RMI is disabled by default. Since this is an optional feature and an extension to the UDDI protocol, the likelihood of impact is low. Starting with 3.3.10, all RMI related code was removed."}, {"lang": "es", "value": "Apache jUDDI utiliza varias clases relacionadas con la Invocaci\u00f3n Remota de M\u00e9todos (RMI) de Java que (como una extensi\u00f3n de UDDI) proporciona un transporte alternativo para acceder a los servicios UDDI. RMI utiliza el mecanismo de serializaci\u00f3n de Java por defecto para pasar par\u00e1metros en las invocaciones RMI. Un atacante remoto puede enviar un objeto serializado malicioso a las entradas RMI mencionadas. Los objetos se deserializan sin ninguna comprobaci\u00f3n de los datos entrantes. En el peor de los casos, puede permitir al atacante ejecutar c\u00f3digo arbitrario de forma remota. Tanto para las aplicaciones de servicios web jUDDI como para los clientes jUDDI, el uso de RMI est\u00e1 deshabilitado por defecto. Dado que se trata de una caracter\u00edstica opcional y una extensi\u00f3n del protocolo UDDI, la probabilidad de impacto es baja. A partir de la versi\u00f3n 3.3.10, se ha eliminado todo el c\u00f3digo relacionado con RMI"}], "id": "CVE-2021-37578", "lastModified": "2024-11-21T06:15:27.670", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-07-29T07:15:06.693", "references": [{"source": "security@apache.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2021/07/29/1"}, {"source": "security@apache.org", "tags": ["Broken Link", "Mailing List", "Third Party Advisory"], "url": "https://lists.apache.org/thread.html/r82047b3ba774cf870ea8e1e9ec51c6107f6cd056d4e36608148c6e71%40%3Cprivate.juddi.apache.org%3E"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2021/07/29/1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Broken Link", "Mailing List", "Third Party Advisory"], "url": "https://lists.apache.org/thread.html/r82047b3ba774cf870ea8e1e9ec51c6107f6cd056d4e36608148c6e71%40%3Cprivate.juddi.apache.org%3E"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "security@apache.org", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-502"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}