Published: 11/12/2017 Updated: 09/01/2018
CVSS v2 Base Score: 7.5 | Impact Score: 6.4 | Exploitability Score: 10
CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9
VMScore: 668
Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Summary

In Apache Synapse, by default no authentication is required for Java Remote Method Invocation (RMI). So Apache Synapse 3.0.1 or all previous releases (3.0.0, 2.1.0, 2.0.0, 1.2, 1.1.2, 1.1.1) allows remote code execution attacks that can be performed by injecting specially crafted serialized objects. And the presence of Apache Commons Collections 3.2.1 (commons-collections-3.2.1.jar) or previous versions in Synapse distribution makes this exploitable. To mitigate the issue, we need to limit RMI access to trusted users only. Further upgrading to 3.0.1 version will eliminate the risk of having said Commons Collection version. In Synapse 3.0.1, Commons Collection has been updated to 3.2.2 version.

Affected Products

Vendor Product Versions
ApacheCommons Collections3.2.1
ApacheSynapse1.0, 1.1, 1.1.1, 1.1.2, 1.2, 2.0.0, 2.1.0, 3.0.0

Vendor Advisories

IBM Security Privileged Identity Manager has addressed the following security vulnerabilities ...

Github Repositories

Apache synapse 反序列化 描述 Apache Synapse是一个轻量级且高性能的企业服务总线(ESB)。 Apache Synapse由快速异步中介引擎提供支持,为XML,Web服务和REST提供了卓越的支持。 除了XML和SOAP,Apache Synapse还支持其他几种内容交换格式,如纯文本,二进制,Hessian和JSON。 可用于Synapse的各种传输适配

Apache Synapse 远程命令执行漏洞(CVE-2017-15708)一键检测PoC 基于ysoserial修改的傻瓜式图形化检验工具,输入需要检测的IP:端口和需要执行的命令即可 usage: