CVE-2017-15708

 

Published at: - 11-12-2017 04:29

Last modified: - 08-03-2022 04:39

Total changes: - 4

Description

In Apache Synapse, by default no authentication is required for Java Remote Method Invocation (RMI). So Apache Synapse 3.0.1 or all previous releases (3.0.0, 2.1.0, 2.0.0, 1.2, 1.1.2, 1.1.1) allows remote code execution attacks that can be performed by injecting specially crafted serialized objects. And the presence of Apache Commons Collections 3.2.1 (commons-collections-3.2.1.jar) or previous versions in Synapse distribution makes this exploitable. To mitigate the issue, we need to limit RMI access to trusted users only. Further upgrading to 3.0.1 version will eliminate the risk of having said Commons Collection version. In Synapse 3.0.1, Commons Collection has been updated to 3.2.2 version.

Common Vulnerability Scoring System (CVSS)

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

 

Verification logic

 

Reference

• [dev] 20171210 [CVE-2017-15708] Apache Synapse Remote Code Execution Vulnerability-Issue Tracking, Mailing List, Vendor Advisory
• 102154-Third Party Advisory, VDB Entry
• https://www.oracle.com/security-alerts/cpujan2020.html
• https://www.oracle.com/security-alerts/cpujul2020.html
• [doris-commits] 20210402 [GitHub] [incubator-doris] zh0122 opened a new pull request #5595: [FE][Fix]Update commons-collections to fix a security issue-Mailing List, Vendor Advisory
• GLSA-202107-37-Third Party Advisory

 

Keywords

NVD

 

CVE-2017-15708

 

CVE

 

Common vulnerabilities & exposures

 

CVSS

 

Common vulnerability scoring system

 

Security

 

Vulnerabilities

 

Exposures