CVE-2017-15708 — Injection in Software Foundation Apache Synapse

CWE-74 — Injection CWE-502 — Deserialization of Untrusted Data6 documents5 sources

Severity

9.8CRITICALNVD

EPSS

19.9%

top 4.54%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Synapse Apache Synapse Oracle Financial Services Market Risk Measurement AND Management +1 more

Timeline

PublishedDec 11

Latest updateNov 4

Description

In Apache Synapse, by default no authentication is required for Java Remote Method Invocation (RMI). So Apache Synapse 3.0.1 or all previous releases (3.0.0, 2.1.0, 2.0.0, 1.2, 1.1.2, 1.1.1) allows remote code execution attacks that can be performed by injecting specially crafted serialized objects. And the presence of Apache Commons Collections 3.2.1 (commons-collections-3.2.1.jar) or previous versions in Synapse distribution makes this exploitable. To mitigate the issue, we need to limit RMI a…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages4 packages

▶NVDapache/synapse8 versions+7

▶CVEListV5apache_software_foundation/apache_synapse6 versions+5

▶NVDoracle/financial_services_market_risk_measurement_and_management8.0.6, 8.0.8+1

▶NVDoracle/peoplesoft_enterprise_peopletools8.56, 8.57+1

🔴Vulnerability Details

GHSA

Remote Code Execution in Apache Synapse↗2020-11-04

▶

OSV

Remote Code Execution in Apache Synapse↗2020-11-04

▶

CVEList

CVE-2017-15708: In Apache Synapse, by default no authentication is required for Java Remote Method Invocation (RMI)↗2017-12-11

▶

📋Vendor Advisories

Oracle

Oracle Oracle Financial Services Applications Risk Matrix: User Interface (Apache Synapse) — CVE-2017-15708↗2020-07-15

▶

Oracle

Oracle Oracle PeopleSoft Risk Matrix: Portal (Apache Commons) — CVE-2017-15708↗2020-01-15

▶