CVE-2017-15708: Remote Code Execution in Apache Synapse
9.8
Basic Information
Technical Details
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
org.apache.synapse:synapse-core | maven | < 3.0.1 | 3.0.1 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from Apache Synapse using a vulnerable version of Apache Commons Collections (<=3.2.1) that contains dangerous serialization gadgets. The key vulnerable functions are in the functors package, specifically transformation methods that form part of the deserialization attack chain. These functions would appear in stack traces when malicious payloads are deserialized via RMI endpoints. The InvokerTransformer.transform()
method is particularly critical as it enables method invocation through reflection, which is fundamental to most Commons Collections-based deserialization exploits. The InstantiateTransformer
provides another attack vector through object instantiation. These functions are explicitly addressed in Commons Collections 3.2.2 through serialization lockdown patches.