CVE-2017-15708
Description
In Apache Synapse, by default no authentication is required for Java Remote Method Invocation (RMI). So Apache Synapse 3.0.1 or all previous releases (3.0.0, 2.1.0, 2.0.0, 1.2, 1.1.2, 1.1.1) allows remote code execution attacks that can be performed by injecting specially crafted serialized objects. And the presence of Apache Commons Collections 3.2.1 (commons-collections-3.2.1.jar) or previous versions in Synapse distribution makes this exploitable. To mitigate the issue, we need to limit RMI access to trusted users only. Further upgrading to 3.0.1 version will eliminate the risk of having said Commons Collection version. In Synapse 3.0.1, Commons Collection has been updated to 3.2.2 version.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.synapse:synapse-coreMaven | < 3.0.1 | 3.0.1 |
Affected products
14cpe:2.3:a:apache:synapse:1.0:*:*:*:*:*:*:*+ 7 more
- cpe:2.3:a:apache:synapse:1.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:synapse:1.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:synapse:1.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:synapse:1.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:apache:synapse:1.2:*:*:*:*:*:*:*
- cpe:2.3:a:apache:synapse:2.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:synapse:2.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:synapse:3.0.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.6:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.6:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.8:*:*:*:*:*:*:*
cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.56:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.56:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.57:*:*:*:*:*:*:*
- Apache Software Foundation/Apache Synapsev5Range: 3.0.0
Patches
Vulnerability mechanics
References
10- www.securityfocus.com/bid/102154nvdThird Party AdvisoryVDB EntryWEB
- github.com/advisories/GHSA-p694-23q3-rvrcghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2017-15708ghsaADVISORY
- security.gentoo.org/glsa/202107-37nvdThird Party AdvisoryWEB
- www.oracle.com/security-alerts/cpujan2020.htmlnvdThird Party AdvisoryWEB
- www.oracle.com/security-alerts/cpujul2020.htmlnvdThird Party AdvisoryWEB
- lists.apache.org/thread.html/77f2accf240d25d91b47033e2f8ebec84ffbc6e6627112b2f98b66c9@%3Cdev.synapse.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r0fb289cd38c915b9a13a3376134f96222dd9100f1ef66b41631865c6@%3Ccommits.doris.apache.org%3EghsaWEB
- lists.apache.org/thread.html/77f2accf240d25d91b47033e2f8ebec84ffbc6e6627112b2f98b66c9%40%3Cdev.synapse.apache.org%3Envd
- lists.apache.org/thread.html/r0fb289cd38c915b9a13a3376134f96222dd9100f1ef66b41631865c6%40%3Ccommits.doris.apache.org%3Envd
News mentions
0No linked articles in our index yet.