CVE-2017-15708

Summary

In Apache Synapse, by default no authentication is required for Java Remote Method Invocation (RMI). So Apache Synapse 3.0.1 or all previous releases (3.0.0, 2.1.0, 2.0.0, 1.2, 1.1.2, 1.1.1) allows remote code execution attacks that can be performed by injecting specially crafted serialized objects. And the presence of Apache Commons Collections 3.2.1 (commons-collections-3.2.1.jar) or previous versions in Synapse distribution makes this exploitable. To mitigate the issue, we need to limit RMI access to trusted users only. Further upgrading to 3.0.1 version will eliminate the risk of having said Commons Collection version. In Synapse 3.0.1, Commons Collection has been updated to 3.2.2 version.

Affected Software

VendorProductVersion RangeStatus
Apache Software FoundationApache Synapse3.0.0affected
Apache Software FoundationApache Synapse2.1.0affected
Apache Software FoundationApache Synapse2.0.0affected
Apache Software FoundationApache Synapse1.2affected
Apache Software FoundationApache Synapse1.1.2affected
Apache Software FoundationApache Synapse1.1.1affected

Weaknesses

  • Remote Code Execution Vulnerability

ADP Enrichment

CVE Program Container

Additional References

References