Miggo Logo

CVE-2017-15708: Remote Code Execution in Apache Synapse

9.8

CVSS Score
3.1

Basic Information

EPSS Score
0.95914%
Published
11/4/2020
Updated
2/1/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.apache.synapse:synapse-coremaven< 3.0.13.0.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from Apache Synapse using a vulnerable version of Apache Commons Collections (<=3.2.1) that contains dangerous serialization gadgets. The key vulnerable functions are in the functors package, specifically transformation methods that form part of the deserialization attack chain. These functions would appear in stack traces when malicious payloads are deserialized via RMI endpoints. The InvokerTransformer.transform() method is particularly critical as it enables method invocation through reflection, which is fundamental to most Commons Collections-based deserialization exploits. The InstantiateTransformer provides another attack vector through object instantiation. These functions are explicitly addressed in Commons Collections 3.2.2 through serialization lockdown patches.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

In *p**** Syn*ps*, *y ****ult no *ut**nti**tion is r*quir** *or J*v* R*mot* M*t*o* Invo**tion (RMI). So *p**** Syn*ps* *.*.* or *ll pr*vious r*l**s*s (*.*.*, *.*.*, *.*.*, *.*, *.*.*, *.*.*) *llows r*mot* *o** *x**ution *tt**ks t**t **n ** p*r*orm**

Reasoning

T** vuln*r**ility st*ms *rom *p**** Syn*ps* usin* * vuln*r**l* v*rsion o* *p**** *ommons *oll**tions (<=*.*.*) t**t *ont*ins **n**rous s*ri*liz*tion *****ts. T** k*y vuln*r**l* *un*tions *r* in t** *un*tors p**k***, sp**i*i**lly tr*ns*orm*tion m*t*o*