edit-icon download-icon

[Vulnerability notice] CVE-2017-15708: Remote code execution vulnerability in Apache Synapse

Last Updated: Apr 02, 2018

Recently, Apache Synapse released a new version to fix the remote code execution vulnerability (CVE-2017-15708). This vulnerability sources from the Apache Commons Collections component. Attackers can remotely run code by injecting specially crafted deserialization objects to applications.

See What is Apache Synapse for more information about Apache Synapse.

See the following for more information about the vulnerability.


CVE identifier

CVE-2017-15708

Vulnerability name

Apache Synapse remote code execution vulnerability

Vulnerability rating

High

Vulnerability description

This vulnerability exists in the Apache Commons Collections component. Attackers can remotely run code by injecting specially crafted deserialization objects to applications.

Condition and method of exploitation

The vulnerability can be remotely exploited through PoC.

PoC status

Unpublished

Affected scope

Apache Synapse version < 3.0.1

Vulnerability detection

Check whether any affected version of Apache Synapse is used.

How to fix or mitigate

The version 3.0.1 released on the Apache official website can fix this vulnerability. Upgrade the software to the latest version as soon as possible.

Reference

[1]. http://www.openwall.com/lists/oss-security/2017/12/10/4?from=timeline
[2]. https://commons.apache.org/proper/commons-collections/security-reports.html

What is Apache Synapse?

Most companies are keen to transform the existing middleware into advanced SOA architecture; however, this costs a lot. Apache Synapse is a simple and high-quality method for open-source code replacement. It provides a method to implement SOA. Apache Synapse can publish the existing applications, without the need of recoding.

Apache Synapse is a lightweight and high-performance Enterprise Service Bus (ESB). Powered by a fast and asynchronous mediation engine, Apache Synapse provides exceptional support for XML, Web Services, and REST. In addition to XML and SOAP, Apache Synapse supports several other content exchange formats, such as plain text, binary, Hessian, and JSON. The wide range of transport adapters available for Synapse enables it to communicate over many application and transport layer protocols. As of now, Apache Synapse supports HTTP/HTTPS, Mail (POP3, IMAP, SMTP), JMS, TCP, UDP, VFS, SMS, XMPP, and FIX.

Thank you! We've received your feedback.