9.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2017-15708

GHSA ID

GHSA-p694-23q3-rvrc

EPSS Score

0.95914%

CWE

CWE-74

Published

11/4/2020

Updated

2/1/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2017-15708

CVE-2017-15708: Remote Code Execution in Apache Synapse

In Apache Synapse, by default no authentication is required for Java Remote Method Invocation (RMI). So Apache Synapse 3.0.1 or all previous releases (3.0.0, 2.1.0, 2.0.0, 1.2, 1.1.2, 1.1.1) allows remote code execution attacks that can be performed by injecting specially crafted serialized objects. And the presence of Apache Commons Collections 3.2.1 (commons-collections-3.2.1.jar) or previous versions in Synapse distribution makes this exploitable. To mitigate the issue, we need to limit RMI access to trusted users only. Further upgrading to 3.0.1 version will eliminate the risk of having said Commons Collection version. In Synapse 3.0.1, Commons Collection has been updated to 3.2.2 version.

(GitHub Advisory)

9.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2017-15708

GHSA ID

GHSA-p694-23q3-rvrc

EPSS Score

0.95914%

CWE

CWE-74

Published

11/4/2020

Updated

2/1/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.apache.synapse:synapse-core	maven	< 3.0.1	3.0.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from Apache Synapse using a vulnerable version of Apache Commons Collections (<=3.2.1) that contains dangerous serialization gadgets. The key vulnerable functions are in the functors package, specifically transformation methods that form part of the deserialization attack chain. These functions would appear in stack traces when malicious payloads are deserialized via RMI endpoints. The InvokerTransformer.transform() method is particularly critical as it enables method invocation through reflection, which is fundamental to most Commons Collections-based deserialization exploits. The InstantiateTransformer provides another attack vector through object instantiation. These functions are explicitly addressed in Commons Collections 3.2.2 through serialization lockdown patches.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

In *p**** Syn*ps*, *y ****ult no *ut**nti**tion is r*quir** *or J*v* R*mot* M*t*o* Invo**tion (RMI). So *p**** Syn*ps* *.*.* or *ll pr*vious r*l**s*s (*.*.*, *.*.*, *.*.*, *.*, *.*.*, *.*.*) *llows r*mot* *o** *x**ution *tt**ks t**t **n ** p*r*orm**

Reasoning

T** vuln*r**ility st*ms *rom *p**** Syn*ps* usin* * vuln*r**l* v*rsion o* *p**** *ommons *oll**tions (<=*.*.*) t**t *ont*ins **n**rous s*ri*liz*tion *****ts. T** k*y vuln*r**l* *un*tions *r* in t** *un*tors p**k***, sp**i*i**lly tr*ns*orm*tion m*t*o*

9.8

Basic Information

Concerned about an active attack path?

CVE-2017-15708: Remote Code Execution in Apache Synapse

9.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI