CVE-2017-15708

CRITICAL

Apache Synapse < 3.0.1 - Injection

Title source: rule

Description

In Apache Synapse, by default no authentication is required for Java Remote Method Invocation (RMI). So Apache Synapse 3.0.1 or all previous releases (3.0.0, 2.1.0, 2.0.0, 1.2, 1.1.2, 1.1.1) allows remote code execution attacks that can be performed by injecting specially crafted serialized objects. And the presence of Apache Commons Collections 3.2.1 (commons-collections-3.2.1.jar) or previous versions in Synapse distribution makes this exploitable. To mitigate the issue, we need to limit RMI access to trusted users only. Further upgrading to 3.0.1 version will eliminate the risk of having said Commons Collection version. In Synapse 3.0.1, Commons Collection has been updated to 3.2.2 version.

Exploits (1)

nomisec WORKING POC

by HuSoul · poc

https://github.com/HuSoul/CVE-2017-15708

View Code ZIP pw:eip

References (6)

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/102154

[Third Party Advisory] https://security.gentoo.org/glsa/202107-37

[Third Party Advisory] https://www.oracle.com/security-alerts/cpujan2020.html

[Third Party Advisory] https://www.oracle.com/security-alerts/cpujul2020.html

[Mailing List] https://lists.apache.org/thread.html/77f2accf240d25d91b47033e2f8ebec84ffbc6e6627112b2f98b66c9%40%3Cdev.synapse.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/r0fb289cd38c915b9a13a3376134f96222dd9100f1ef66b41631865c6%40%3Ccommits.doris.apache.org%3E

Scores

CVSS v3 9.8

EPSS 0.1990

EPSS Percentile 95.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-74

Status published

Products (19)

apache/synapse 1.0

apache/synapse 1.1

apache/synapse 1.1.1

apache/synapse 1.1.2

apache/synapse 1.2

apache/synapse 2.0.0

apache/synapse 2.1.0

apache/synapse 3.0.0

Apache Software Foundation/Apache Synapse 1.1.1

Apache Software Foundation/Apache Synapse 1.1.2

... and 9 more

Published Dec 11, 2017

Tracked Since Feb 18, 2026