CVE-2021-37578

Name of the Vulnerable Software and Affected Versions Apache jUDDI versions prior to 3.3.10

Description The issue is related to the use of Java's Remote Method Invocation (RMI) in Apache jUDDI, which provides an alternate transport for accessing UDDI services. RMI uses the default Java serialization mechanism to pass parameters in RMI invocations. A remote attacker can send a malicious serialized object to the RMI entries, and the objects get deserialized without any check on the incoming data. This may allow the attacker to run arbitrary code remotely. The usage of RMI is disabled by default in both jUDDI web service applications and jUDDI clients, and the likelihood of impact is low.

Recommendations For versions prior to 3.3.10, consider disabling the RMI feature to minimize the risk of exploitation, as all RMI related code was removed starting with version 3.3.10. At the moment, there is no information about additional mitigation measures for this vulnerability.