CVE-2017-15708
Description
In Apache Synapse, by default no authentication is required for Java Remote Method Invocation (RMI). So Apache Synapse 3.0.1 or all previous releases (3.0.0, 2.1.0, 2.0.0, 1.2, 1.1.2, 1.1.1) allows remote code execution attacks that can be performed by injecting specially crafted serialized objects. And the presence of Apache Commons Collections 3.2.1 (commons-collections-3.2.1.jar) or previous versions in Synapse distribution makes this exploitable. To mitigate the issue, we need to limit RMI access to trusted users only. Further upgrading to 3.0.1 version will eliminate the risk of having said Commons Collection version. In Synapse 3.0.1, Commons Collection has been updated to 3.2.2 version.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.synapse:synapse-coreMaven | < 3.0.1 | 3.0.1 |
Affected products
13cpe:2.3:a:apache:synapse:1.0:*:*:*:*:*:*:*+ 7 more
- cpe:2.3:a:apache:synapse:1.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:synapse:1.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:synapse:1.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:synapse:1.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:apache:synapse:1.2:*:*:*:*:*:*:*
- cpe:2.3:a:apache:synapse:2.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:synapse:2.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:synapse:3.0.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.6:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.6:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.8:*:*:*:*:*:*:*
cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.56:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.56:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.57:*:*:*:*:*:*:*
- Apache Software Foundation/Apache Synapsev5Range: 3.0.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
10- www.securityfocus.com/bid/102154nvdThird Party AdvisoryVDB EntryWEB
- github.com/advisories/GHSA-p694-23q3-rvrcghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2017-15708ghsaADVISORY
- security.gentoo.org/glsa/202107-37nvdThird Party AdvisoryWEB
- www.oracle.com/security-alerts/cpujan2020.htmlnvdThird Party AdvisoryWEB
- www.oracle.com/security-alerts/cpujul2020.htmlnvdThird Party AdvisoryWEB
- lists.apache.org/thread.html/77f2accf240d25d91b47033e2f8ebec84ffbc6e6627112b2f98b66c9@%3Cdev.synapse.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r0fb289cd38c915b9a13a3376134f96222dd9100f1ef66b41631865c6@%3Ccommits.doris.apache.org%3EghsaWEB
- lists.apache.org/thread.html/77f2accf240d25d91b47033e2f8ebec84ffbc6e6627112b2f98b66c9%40%3Cdev.synapse.apache.org%3Envd
- lists.apache.org/thread.html/r0fb289cd38c915b9a13a3376134f96222dd9100f1ef66b41631865c6%40%3Ccommits.doris.apache.org%3Envd
News mentions
0No linked articles in our index yet.