cnvd - cnvd-2017-36700

cnvd-2017-36700

Vulnerability from cnvd

Title: Apache Synapse远程代码执行漏洞

Description:

Apache Synapse是一个简单的、高质量开放源代码的替代方法，为实现 SOA 提供了一种途径，它可以公开现有的应用程序，而无需重新编写任何代码。

Apache Synapse存在远程代码执行漏洞，该漏洞源于Apache Commons Collections库包含“functor”包中的各个类可被序列化所致。攻击者可以通过注入特制的序列化对象，并在其类路径中包含Apache Commons Collections库，且不执行任何类型的输入验证，导致可远程执行代码。

Severity: 高

Patch Name: Apache Synapse远程代码执行漏洞的补丁

Patch Description:

Apache Synapse是一个简单的、高质量开放源代码的替代方法，为实现 SOA 提供了一种途径，它可以公开现有的应用程序，而无需重新编写任何代码。

Apache Synapse存在远程代码执行漏洞，该漏洞源于Apache Commons Collections组件，攻击者可以通过注入特制的序列化对象来远程执行代码。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description:

Apache Synapse官方已经发布了最新的3.0.1版本修复了该漏洞，请受影响的用户尽快升级到最新版本： http://synapse.apache.org/download/3.0.1/download.cgi

Reference: http://www.openwall.com/lists/oss-security/2017/12/10/4?from=timeline https://commons.apache.org/proper/commons-collections/security-reports.html

Impacted products

Name
Apache Synapse <3.0.1

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2017-15708"
    }
  },
  "description": "Apache Synapse\u662f\u4e00\u4e2a\u7b80\u5355\u7684\u3001\u9ad8\u8d28\u91cf\u5f00\u653e\u6e90\u4ee3\u7801\u7684\u66ff\u4ee3\u65b9\u6cd5\uff0c\u4e3a\u5b9e\u73b0 SOA \u63d0\u4f9b\u4e86\u4e00\u79cd\u9014\u5f84\uff0c\u5b83\u53ef\u4ee5\u516c\u5f00\u73b0\u6709\u7684\u5e94\u7528\u7a0b\u5e8f\uff0c\u800c\u65e0\u9700\u91cd\u65b0\u7f16\u5199\u4efb\u4f55\u4ee3\u7801\u3002\r\n\r\nApache Synapse\u5b58\u5728\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8eApache Commons Collections\u5e93\u5305\u542b\u201cfunctor\u201d\u5305\u4e2d\u7684\u5404\u4e2a\u7c7b\u53ef\u88ab\u5e8f\u5217\u5316\u6240\u81f4\u3002\u653b\u51fb\u8005\u53ef\u4ee5\u901a\u8fc7\u6ce8\u5165\u7279\u5236\u7684\u5e8f\u5217\u5316\u5bf9\u8c61\uff0c\u5e76\u5728\u5176\u7c7b\u8def\u5f84\u4e2d\u5305\u542bApache Commons Collections\u5e93\uff0c\u4e14\u4e0d\u6267\u884c\u4efb\u4f55\u7c7b\u578b\u7684\u8f93\u5165\u9a8c\u8bc1\uff0c\u5bfc\u81f4\u53ef\u8fdc\u7a0b\u6267\u884c\u4ee3\u7801\u3002",
  "discovererName": "sevck",
  "formalWay": "Apache Synapse\u5b98\u65b9\u5df2\u7ecf\u53d1\u5e03\u4e86\u6700\u65b0\u76843.0.1\u7248\u672c\u4fee\u590d\u4e86\u8be5\u6f0f\u6d1e\uff0c\u8bf7\u53d7\u5f71\u54cd\u7684\u7528\u6237\u5c3d\u5feb\u5347\u7ea7\u5230\u6700\u65b0\u7248\u672c\uff1a\r\nhttp://synapse.apache.org/download/3.0.1/download.cgi",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2017-36700",
  "openTime": "2017-12-11",
  "patchDescription": "Apache Synapse\u662f\u4e00\u4e2a\u7b80\u5355\u7684\u3001\u9ad8\u8d28\u91cf\u5f00\u653e\u6e90\u4ee3\u7801\u7684\u66ff\u4ee3\u65b9\u6cd5\uff0c\u4e3a\u5b9e\u73b0 SOA \u63d0\u4f9b\u4e86\u4e00\u79cd\u9014\u5f84\uff0c\u5b83\u53ef\u4ee5\u516c\u5f00\u73b0\u6709\u7684\u5e94\u7528\u7a0b\u5e8f\uff0c\u800c\u65e0\u9700\u91cd\u65b0\u7f16\u5199\u4efb\u4f55\u4ee3\u7801\u3002\r\n\r\nApache Synapse\u5b58\u5728\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8eApache Commons Collections\u7ec4\u4ef6\uff0c\u653b\u51fb\u8005\u53ef\u4ee5\u901a\u8fc7\u6ce8\u5165\u7279\u5236\u7684\u5e8f\u5217\u5316\u5bf9\u8c61\u6765\u8fdc\u7a0b\u6267\u884c\u4ee3\u7801\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Apache Synapse\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "Apache Synapse \u003c3.0.1"
  },
  "referenceLink": "http://www.openwall.com/lists/oss-security/2017/12/10/4?from=timeline\r\nhttps://commons.apache.org/proper/commons-collections/security-reports.html",
  "serverity": "\u9ad8",
  "submitTime": "2017-12-11",
  "title": "Apache Synapse\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e"
}

CVE-2017-15708 (GCVE-0-2017-15708)

Vulnerability from cvelistv5

Published

2017-12-11 15:00

Modified

2024-09-17 02:51

Severity ?

CWE

Remote Code Execution Vulnerability

Summary

In Apache Synapse, by default no authentication is required for Java Remote Method Invocation (RMI). So Apache Synapse 3.0.1 or all previous releases (3.0.0, 2.1.0, 2.0.0, 1.2, 1.1.2, 1.1.1) allows remote code execution attacks that can be performed by injecting specially crafted serialized objects. And the presence of Apache Commons Collections 3.2.1 (commons-collections-3.2.1.jar) or previous versions in Synapse distribution makes this exploitable. To mitigate the issue, we need to limit RMI access to trusted users only. Further upgrading to 3.0.1 version will eliminate the risk of having said Commons Collection version. In Synapse 3.0.1, Commons Collection has been updated to 3.2.2 version.

References

▼	URL	Tags
	http://www.securityfocus.com/bid/102154	vdb-entry, x_refsource_BID
	https://lists.apache.org/thread.html/77f2accf240d25d91b47033e2f8ebec84ffbc6e6627112b2f98b66c9%40%3Cdev.synapse.apache.org%3E	mailing-list, x_refsource_MLIST
	https://www.oracle.com/security-alerts/cpujul2020.html	x_refsource_MISC
	https://www.oracle.com/security-alerts/cpujan2020.html	x_refsource_MISC
	https://lists.apache.org/thread.html/r0fb289cd38c915b9a13a3376134f96222dd9100f1ef66b41631865c6%40%3Ccommits.doris.apache.org%3E	mailing-list, x_refsource_MLIST
	https://security.gentoo.org/glsa/202107-37	vendor-advisory, x_refsource_GENTOO

Impacted products

	Vendor	Product	Version
	Apache Software Foundation	Apache Synapse	Version: 3.0.0 Version: 2.1.0 Version: 2.0.0 Version: 1.2 Version: 1.1.2 Version: 1.1.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T20:04:50.319Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "102154",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/102154"
          },
          {
            "name": "[dev] 20171210 [CVE-2017-15708] Apache Synapse Remote Code Execution Vulnerability",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/77f2accf240d25d91b47033e2f8ebec84ffbc6e6627112b2f98b66c9%40%3Cdev.synapse.apache.org%3E"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpujul2020.html"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpujan2020.html"
          },
          {
            "name": "[doris-commits] 20210402 [GitHub] [incubator-doris] zh0122 opened a new pull request #5595: [FE][Fix]Update commons-collections to fix a security issue",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/r0fb289cd38c915b9a13a3376134f96222dd9100f1ef66b41631865c6%40%3Ccommits.doris.apache.org%3E"
          },
          {
            "name": "GLSA-202107-37",
            "tags": [
              "vendor-advisory",
              "x_refsource_GENTOO",
              "x_transferred"
            ],
            "url": "https://security.gentoo.org/glsa/202107-37"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Apache Synapse",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "status": "affected",
              "version": "3.0.0"
            },
            {
              "status": "affected",
              "version": "2.1.0"
            },
            {
              "status": "affected",
              "version": "2.0.0"
            },
            {
              "status": "affected",
              "version": "1.2"
            },
            {
              "status": "affected",
              "version": "1.1.2"
            },
            {
              "status": "affected",
              "version": "1.1.1"
            }
          ]
        }
      ],
      "datePublic": "2017-12-10T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "In Apache Synapse, by default no authentication is required for Java Remote Method Invocation (RMI). So Apache Synapse 3.0.1 or all previous releases (3.0.0, 2.1.0, 2.0.0, 1.2, 1.1.2, 1.1.1) allows remote code execution attacks that can be performed by injecting specially crafted serialized objects. And the presence of Apache Commons Collections 3.2.1 (commons-collections-3.2.1.jar) or previous versions in Synapse distribution makes this exploitable. To mitigate the issue, we need to limit RMI access to trusted users only. Further upgrading to 3.0.1 version will eliminate the risk of having said Commons Collection version. In Synapse 3.0.1, Commons Collection has been updated to 3.2.2 version."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Remote Code Execution Vulnerability",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-07-16T07:06:16",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "name": "102154",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/102154"
        },
        {
          "name": "[dev] 20171210 [CVE-2017-15708] Apache Synapse Remote Code Execution Vulnerability",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/77f2accf240d25d91b47033e2f8ebec84ffbc6e6627112b2f98b66c9%40%3Cdev.synapse.apache.org%3E"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/security-alerts/cpujul2020.html"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/security-alerts/cpujan2020.html"
        },
        {
          "name": "[doris-commits] 20210402 [GitHub] [incubator-doris] zh0122 opened a new pull request #5595: [FE][Fix]Update commons-collections to fix a security issue",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/r0fb289cd38c915b9a13a3376134f96222dd9100f1ef66b41631865c6%40%3Ccommits.doris.apache.org%3E"
        },
        {
          "name": "GLSA-202107-37",
          "tags": [
            "vendor-advisory",
            "x_refsource_GENTOO"
          ],
          "url": "https://security.gentoo.org/glsa/202107-37"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@apache.org",
          "DATE_PUBLIC": "2017-12-10T00:00:00",
          "ID": "CVE-2017-15708",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Apache Synapse",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "3.0.0"
                          },
                          {
                            "version_value": "2.1.0"
                          },
                          {
                            "version_value": "2.0.0"
                          },
                          {
                            "version_value": "1.2"
                          },
                          {
                            "version_value": "1.1.2"
                          },
                          {
                            "version_value": "1.1.1"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Apache Software Foundation"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "In Apache Synapse, by default no authentication is required for Java Remote Method Invocation (RMI). So Apache Synapse 3.0.1 or all previous releases (3.0.0, 2.1.0, 2.0.0, 1.2, 1.1.2, 1.1.1) allows remote code execution attacks that can be performed by injecting specially crafted serialized objects. And the presence of Apache Commons Collections 3.2.1 (commons-collections-3.2.1.jar) or previous versions in Synapse distribution makes this exploitable. To mitigate the issue, we need to limit RMI access to trusted users only. Further upgrading to 3.0.1 version will eliminate the risk of having said Commons Collection version. In Synapse 3.0.1, Commons Collection has been updated to 3.2.2 version."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Remote Code Execution Vulnerability"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "102154",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/102154"
            },
            {
              "name": "[dev] 20171210 [CVE-2017-15708] Apache Synapse Remote Code Execution Vulnerability",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/77f2accf240d25d91b47033e2f8ebec84ffbc6e6627112b2f98b66c9@%3Cdev.synapse.apache.org%3E"
            },
            {
              "name": "https://www.oracle.com/security-alerts/cpujul2020.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/security-alerts/cpujul2020.html"
            },
            {
              "name": "https://www.oracle.com/security-alerts/cpujan2020.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/security-alerts/cpujan2020.html"
            },
            {
              "name": "[doris-commits] 20210402 [GitHub] [incubator-doris] zh0122 opened a new pull request #5595: [FE][Fix]Update commons-collections to fix a security issue",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/r0fb289cd38c915b9a13a3376134f96222dd9100f1ef66b41631865c6@%3Ccommits.doris.apache.org%3E"
            },
            {
              "name": "GLSA-202107-37",
              "refsource": "GENTOO",
              "url": "https://security.gentoo.org/glsa/202107-37"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2017-15708",
    "datePublished": "2017-12-11T15:00:00Z",
    "dateReserved": "2017-10-21T00:00:00",
    "dateUpdated": "2024-09-17T02:51:55.934Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted