Recently, Apache Synapse released a new version to fix the remote code execution vulnerability (CVE-2017-15708). This vulnerability sources from the Apache Commons Collections component. Attackers can remotely run code by injecting specially crafted deserialization objects to applications.
See What is Apache Synapse for more information about Apache Synapse.
See the following for more information about the vulnerability.
Apache Synapse remote code execution vulnerability
This vulnerability exists in the Apache Commons Collections component. Attackers can remotely run code by injecting specially crafted deserialization objects to applications.
Condition and method of exploitation
The vulnerability can be remotely exploited through PoC.
Apache Synapse version < 3.0.1
Check whether any affected version of Apache Synapse is used.
How to fix or mitigate
The version 3.0.1 released on the Apache official website can fix this vulnerability. Upgrade the software to the latest version as soon as possible.
Most companies are keen to transform the existing middleware into advanced SOA architecture; however, this costs a lot. Apache Synapse is a simple and high-quality method for open-source code replacement. It provides a method to implement SOA. Apache Synapse can publish the existing applications, without the need of recoding.
Apache Synapse is a lightweight and high-performance Enterprise Service Bus (ESB). Powered by a fast and asynchronous mediation engine, Apache Synapse provides exceptional support for XML, Web Services, and REST. In addition to XML and SOAP, Apache Synapse supports several other content exchange formats, such as plain text, binary, Hessian, and JSON. The wide range of transport adapters available for Synapse enables it to communicate over many application and transport layer protocols. As of now, Apache Synapse supports HTTP/HTTPS, Mail (POP3, IMAP, SMTP), JMS, TCP, UDP, VFS, SMS, XMPP, and FIX.