PT-2019-15206 · Apache · Apache Olingo

Artem Smotrakov

Published

2019-12-04

Updated

2020-02-04

CVE-2019-17556

CVSS v2.0

Critical

Vector

AV:N/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions Apache Olingo versions 4.0.0 through 4.6.0

Description The issue concerns the AbstractService class in Apache Olingo, which uses ObjectInputStream without checking the classes being deserialized. This could allow an attacker to execute malicious code if they can provide malicious metadata to the class.

Recommendations For Apache Olingo versions 4.0.0 through 4.6.0, consider restricting access to the AbstractService class until a patch is available. As a temporary workaround, avoid using the ObjectInputStream functionality in the AbstractService class to minimize the risk of exploitation.

Fix

Deserialization of Untrusted Data

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-502

Related Identifiers

CVE-2019-17556

GHSA-GJ76-429M-56WC

Affected Products

Apache Olingo

PT-2019-15206 · Apache · Apache Olingo

CVE-2019-17556

Weakness Enumeration

Related Identifiers

Affected Products

References · 6