Vulnerability Details : CVE-2017-15708
In Apache Synapse, by default no authentication is required for Java Remote Method Invocation (RMI). So Apache Synapse 3.0.1 or all previous releases (3.0.0, 2.1.0, 2.0.0, 1.2, 1.1.2, 1.1.1) allows remote code execution attacks that can be performed by injecting specially crafted serialized objects. And the presence of Apache Commons Collections 3.2.1 (commons-collections-3.2.1.jar) or previous versions in Synapse distribution makes this exploitable. To mitigate the issue, we need to limit RMI access to trusted users only. Further upgrading to 3.0.1 version will eliminate the risk of having said Commons Collection version. In Synapse 3.0.1, Commons Collection has been updated to 3.2.2 version.
Vulnerability category: Execute code
Products affected by CVE-2017-15708
- cpe:2.3:a:apache:synapse:3.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:synapse:2.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:synapse:2.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:synapse:1.2:*:*:*:*:*:*:*
- cpe:2.3:a:apache:synapse:1.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:apache:synapse:1.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:synapse:1.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:synapse:1.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.56:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.57:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.6:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.8:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2017-15708
5.21%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 93 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2017-15708
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST | |
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST |
CWE ids for CVE-2017-15708
-
The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.Assigned by: nvd@nist.gov (Primary)
References for CVE-2017-15708
-
https://www.oracle.com/security-alerts/cpujan2020.html
Oracle Critical Patch Update Advisory - January 2020Third Party Advisory
-
https://security.gentoo.org/glsa/202107-37
Apache Commons Collections: Remote code execution (GLSA 202107-37) — Gentoo securityThird Party Advisory
-
https://www.oracle.com/security-alerts/cpujul2020.html
Oracle Critical Patch Update Advisory - July 2020Third Party Advisory
-
https://lists.apache.org/thread.html/r0fb289cd38c915b9a13a3376134f96222dd9100f1ef66b41631865c6@%3Ccommits.doris.apache.org%3E
[GitHub] [incubator-doris] zh0122 opened a new pull request #5595: [FE][Fix]Update commons-collections to fix a security issue - Pony MailMailing List;Vendor Advisory
-
http://www.securityfocus.com/bid/102154
Multiple Apache Products CVE-2017-15708 Remote Code Execution VulnerabilityThird Party Advisory;VDB Entry
-
https://lists.apache.org/thread.html/77f2accf240d25d91b47033e2f8ebec84ffbc6e6627112b2f98b66c9@%3Cdev.synapse.apache.org%3E
Pony Mail!Issue Tracking;Mailing List;Vendor Advisory
Jump to