CVE-2017-15708
First published: Mon Dec 11 2017(Updated: )
In Apache Synapse, by default no authentication is required for Java Remote Method Invocation (RMI). So Apache Synapse 3.0.1 or all previous releases (3.0.0, 2.1.0, 2.0.0, 1.2, 1.1.2, 1.1.1) allows remote code execution attacks that can be performed by injecting specially crafted serialized objects. And the presence of Apache Commons Collections 3.2.1 (commons-collections-3.2.1.jar) or previous versions in Synapse distribution makes this exploitable. To mitigate the issue, we need to limit RMI access to trusted users only. Further upgrading to 3.0.1 version will eliminate the risk of having said Commons Collection version. In Synapse 3.0.1, Commons Collection has been updated to 3.2.2 version.
Credit: security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Apache Synapse | =1.0 | |
| Apache Synapse | =1.1 | |
| Apache Synapse | =1.1.1 | |
| Apache Synapse | =1.1.2 | |
| Apache Synapse | =1.2 | |
| Apache Synapse | =2.0.0 | |
| Apache Synapse | =2.1.0 | |
| Apache Synapse | =3.0.0 | |
| Oracle Financial Services Market Risk Measurement and Management | =8.0.6 | |
| Oracle Financial Services Market Risk Measurement and Management | =8.0.8 | |
| Oracle PeopleSoft Enterprise PeopleTools | =8.56 | |
| Oracle PeopleSoft Enterprise PeopleTools | =8.57 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.securityfocus.com/bid/102154
- https://lists.apache.org/thread.html/77f2accf240d25d91b47033e2f8ebec84ffbc6e6627112b2f98b66c9@%3Cdev.synapse.apache.org%3E
- https://lists.apache.org/thread.html/r0fb289cd38c915b9a13a3376134f96222dd9100f1ef66b41631865c6@%3Ccommits.doris.apache.org%3E
- https://security.gentoo.org/glsa/202107-37
- https://www.oracle.com/security-alerts/cpujan2020.html
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://lists.apache.org/thread.html/77f2accf240d25d91b47033e2f8ebec84ffbc6e6627112b2f98b66c9%40%3Cdev.synapse.apache.org%3E
- https://lists.apache.org/thread.html/r0fb289cd38c915b9a13a3376134f96222dd9100f1ef66b41631865c6%40%3Ccommits.doris.apache.org%3E
Frequently Asked Questions
What is CVE-2017-15708?
CVE-2017-15708 is a vulnerability in Apache Synapse that allows remote code execution attacks by injecting specially crafted serialized objects.
How severe is CVE-2017-15708?
CVE-2017-15708 has a severity rating of 9.8, which is considered critical.
Which versions of Apache Synapse are affected by CVE-2017-15708?
Apache Synapse versions 1.0, 1.1, 1.1.1, 1.1.2, 1.2, 2.0.0, 2.1.0, and 3.0.0 are all affected by CVE-2017-15708.
What is the impact of CVE-2017-15708?
CVE-2017-15708 allows remote code execution, which could lead to unauthorized access, data theft, or other malicious activities.
How can I mitigate CVE-2017-15708?
To mitigate CVE-2017-15708, it is recommended to apply the latest patches and updates provided by Apache Synapse.
- collector/nvd-index
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/references
- agent/author
- agent/last-modified-date
- agent/weakness
- agent/tags
- agent/description
- agent/first-publish-date
- agent/event
- vendor/apache
- canonical/apache synapse
- version/apache synapse/1.0
- version/apache synapse/1.1
- version/apache synapse/1.1.1
- version/apache synapse/1.1.2
- version/apache synapse/1.2
- version/apache synapse/2.0.0
- version/apache synapse/2.1.0
- version/apache synapse/3.0.0
- vendor/oracle
- canonical/oracle financial services market risk measurement and management
- version/oracle financial services market risk measurement and management/8.0.6
- version/oracle financial services market risk measurement and management/8.0.8
- canonical/oracle peoplesoft enterprise peopletools
- version/oracle peoplesoft enterprise peopletools/8.56
- version/oracle peoplesoft enterprise peopletools/8.57