In Apache Synapse, by default no authentication is required for Java Remote Method Invocation (RMI). So Apache Synapse 3.0.1 or all previous releases (3.0.0, 2.1.0, 2.0.0, 1.2, 1.1.2, 1.1.1) allows remote code execution attacks that can be performed by injecting specially crafted serialized objects. And the presence of Apache Commons Collections 3.2.1 (commons-collections-3.2.1.jar) or previous versions in Synapse distribution makes this exploitable. To mitigate the issue, we need to limit RMI access to trusted users only. Further upgrading to 3.0.1 version will eliminate the risk of having said Commons Collection version. In Synapse 3.0.1, Commons Collection has been updated to 3.2.2 version.
References
Link | Resource |
---|---|
http://www.securityfocus.com/bid/102154 | Third Party Advisory VDB Entry |
https://lists.apache.org/thread.html/77f2accf240d25d91b47033e2f8ebec84ffbc6e6627112b2f98b66c9%40%3Cdev.synapse.apache.org%3E | |
https://lists.apache.org/thread.html/r0fb289cd38c915b9a13a3376134f96222dd9100f1ef66b41631865c6%40%3Ccommits.doris.apache.org%3E | |
https://security.gentoo.org/glsa/202107-37 | Third Party Advisory |
https://www.oracle.com/security-alerts/cpujan2020.html | Third Party Advisory |
https://www.oracle.com/security-alerts/cpujul2020.html | Third Party Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: apache
Published: 2017-12-10T00:00:00
Updated: 2021-07-16T07:06:16
Reserved: 2017-10-21T00:00:00
Link: CVE-2017-15708
JSON object: View
NVD Information
Status : Modified
Published: 2017-12-11T15:29:00.237
Modified: 2023-11-07T02:40:21.763
Link: CVE-2017-15708
JSON object: View
Redhat Information
No data.
CWE