Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
668
VMScore

CVE-2017-15708

Published: 11/12/2017 Updated: 07/11/2023
CVSS v2 Base Score: 7.5 | Impact Score: 6.4 | Exploitability Score: 10
CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9
VMScore: 668
Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P
Subscribe to Apache

Vulnerability Summary

In Apache Synapse, by default no authentication is required for Java Remote Method Invocation (RMI). So Apache Synapse 3.0.1 or all previous releases (3.0.0, 2.1.0, 2.0.0, 1.2, 1.1.2, 1.1.1) allows remote code execution attacks that can be performed by injecting specially crafted serialized objects. And the presence of Apache Commons Collections 3.2.1 (commons-collections-3.2.1.jar) or previous versions in Synapse distribution makes this exploitable. To mitigate the issue, we need to limit RMI access to trusted users only. Further upgrading to 3.0.1 version will eliminate the risk of having said Commons Collection version. In Synapse 3.0.1, Commons Collection has been updated to 3.2.2 version.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

apache synapse 3.0.0

apache synapse 2.1.0

apache synapse 2.0.0

apache synapse 1.2

apache synapse 1.1.2

apache synapse 1.1.1

apache synapse 1.0

apache synapse 1.1

oracle peoplesoft enterprise peopletools 8.56

oracle peoplesoft enterprise peopletools 8.57

oracle financial services market risk measurement and management 8.0.6

oracle financial services market risk measurement and management 8.0.8

Github Repositories

https://github.com/patrickwcrabtree/OpenBox

OpenBox A white box testing automation proof of concept for detecting and testing susceptibility of CVEs OpenBox take a source code path as its input and runs a suite of open source static testing tools to determine if an application is impacted by a given CVE and static vulnerability that could lead exploitation of the CVE Attempts to map these vulnerabilities to the applicati

https://github.com/hucheat/APacheSynapseSimplePOC

Apache Synapse 远程命令执行漏洞(CVE-2017-15708)一键检测PoC 基于ysoserial修改的傻瓜式图形化检验工具,输入需要检测的IP:端口和需要执行的命令即可 usage:

References

CWE-74http://www.securityfocus.com/bid/102154https://www.oracle.com/security-alerts/cpujan2020.htmlhttps://www.oracle.com/security-alerts/cpujul2020.htmlhttps://security.gentoo.org/glsa/202107-37https://lists.apache.org/thread.html/77f2accf240d25d91b47033e2f8ebec84ffbc6e6627112b2f98b66c9%40%3Cdev.synapse.apache.org%3Ehttps://lists.apache.org/thread.html/r0fb289cd38c915b9a13a3376134f96222dd9100f1ef66b41631865c6%40%3Ccommits.doris.apache.org%3Ehttps://nvd.nist.govhttps://github.com/patrickwcrabtree/OpenBox
VMScore
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-30924CVE-2024-3400overflowCVE-2024-23528CVE-2024-21338CVE-2024-3818CVE-2024-23535NULL pointer dereferenceelevation of privilege
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook