CVE-2017-15708 — CRITICAL (9.8)

Vulnerability Description

In Apache Synapse, by default no authentication is required for Java Remote Method Invocation (RMI). So Apache Synapse 3.0.1 or all previous releases (3.0.0, 2.1.0, 2.0.0, 1.2, 1.1.2, 1.1.1) allows remote code execution attacks that can be performed by injecting specially crafted serialized objects. And the presence of Apache Commons Collections 3.2.1 (commons-collections-3.2.1.jar) or previous versions in Synapse distribution makes this exploitable. To mitigate the issue, we need to limit RMI access to trusted users only. Further upgrading to 3.0.1 version will eliminate the risk of having said Commons Collection version. In Synapse 3.0.1, Commons Collection has been updated to 3.2.2 version.

CVSS Score

9.8

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Apache	Synapse	1.0
Oracle	Financial Services Market Risk Measurement And Management	8.0.6
Oracle	Peoplesoft Enterprise Peopletools	8.56

Related Weaknesses (CWE)

CWE-74

References

http://www.securityfocus.com/bid/102154Third Party AdvisoryVDB Entry
https://lists.apache.org/thread.html/77f2accf240d25d91b47033e2f8ebec84ffbc6e6627
https://lists.apache.org/thread.html/r0fb289cd38c915b9a13a3376134f96222dd9100f1e
https://security.gentoo.org/glsa/202107-37Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2020.htmlThird Party Advisory
https://www.oracle.com/security-alerts/cpujul2020.htmlThird Party Advisory
http://www.securityfocus.com/bid/102154Third Party AdvisoryVDB Entry
https://lists.apache.org/thread.html/77f2accf240d25d91b47033e2f8ebec84ffbc6e6627
https://lists.apache.org/thread.html/r0fb289cd38c915b9a13a3376134f96222dd9100f1e
https://security.gentoo.org/glsa/202107-37Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2020.htmlThird Party Advisory
https://www.oracle.com/security-alerts/cpujul2020.htmlThird Party Advisory

FAQ

What is CVE-2017-15708?

CVE-2017-15708 is a vulnerability with a CVSS score of 9.8 (CRITICAL). In Apache Synapse, by default no authentication is required for Java Remote Method Invocation (RMI). So Apache Synapse 3.0.1 or all previous releases (3.0.0, 2.1.0, 2.0.0, 1.2, 1.1.2, 1.1.1) allows re...

How severe is CVE-2017-15708?

CVE-2017-15708 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2017-15708?

Check the references section above for vendor advisories and patch information. Affected products include: Apache Synapse, Oracle Financial Services Market Risk Measurement And Management, Oracle Peoplesoft Enterprise Peopletools.