CVE-2017-15708
high-risk
Published 2017-12-11
In Apache Synapse, by default no authentication is required for Java Remote Method Invocation (RMI). So Apache Synapse 3.0.1 or all previous releases (3.0.0, 2.1.0, 2.0.0, 1.2, 1.1.2, 1.1.1) allows remote code execution attacks that can be performed by injecting specially crafted serialized objects. And the presence of Apache Commons Collections 3.2.1 (commons-collections-3.2.1.jar) or previous versions in Synapse distribution makes this exploitable. To mitigate the issue, we need to limit RMI access to trusted users only. Further upgrading to 3.0.1 version will eliminate the risk of having said Commons Collection version. In Synapse 3.0.1, Commons Collection has been updated to 3.2.2 version.
Do I need to act?
!
19.9% chance of exploitation in next 30 days
EPSS score — higher than 80% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.8/10
Critical
NETWORK
/ LOW complexity
Affected Products (12)
References (12)
Third Party Advisory
http://www.securityfocus.com/bid/102154
Third Party Advisory
https://security.gentoo.org/glsa/202107-37
Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2020.html
Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2020.html
Third Party Advisory
http://www.securityfocus.com/bid/102154
Third Party Advisory
https://security.gentoo.org/glsa/202107-37
Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2020.html
Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2020.html
63
/ 100
high-risk
Severity
32/34 · Critical
Exploitability
14/34 · Moderate
Exposure
17/34 · Moderate