VYPR
Critical severity9.8NVD Advisory· Published Dec 11, 2017· Updated Jun 17, 2026

CVE-2017-15708

CVE-2017-15708

Description

In Apache Synapse, by default no authentication is required for Java Remote Method Invocation (RMI). So Apache Synapse 3.0.1 or all previous releases (3.0.0, 2.1.0, 2.0.0, 1.2, 1.1.2, 1.1.1) allows remote code execution attacks that can be performed by injecting specially crafted serialized objects. And the presence of Apache Commons Collections 3.2.1 (commons-collections-3.2.1.jar) or previous versions in Synapse distribution makes this exploitable. To mitigate the issue, we need to limit RMI access to trusted users only. Further upgrading to 3.0.1 version will eliminate the risk of having said Commons Collection version. In Synapse 3.0.1, Commons Collection has been updated to 3.2.2 version.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.apache.synapse:synapse-coreMaven
< 3.0.13.0.1

Affected products

14
  • Apache/Synapse8 versions
    cpe:2.3:a:apache:synapse:1.0:*:*:*:*:*:*:*+ 7 more
    • cpe:2.3:a:apache:synapse:1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:synapse:1.1:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:synapse:1.1.1:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:synapse:1.1.2:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:synapse:1.2:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:synapse:2.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:synapse:2.1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:synapse:3.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.6:*:*:*:*:*:*:*+ 1 more
    • cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.6:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.8:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.56:*:*:*:*:*:*:*+ 1 more
    • cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.56:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.57:*:*:*:*:*:*:*
  • Apache Software Foundation/Apache Synapsev5
    Range: 3.0.0

Patches

Vulnerability mechanics

References

10

News mentions

0

No linked articles in our index yet.