CVE-2017-15708

critical Apache
CVSS v3 Base Score
9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score
19.9%
Exploitation probability in 30 days
Top 4% most likely to be exploited
Attack Characteristics
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Confidentiality
High
Integrity
High
Availability
High
Published: December 11, 2017 (3076 days ago)
Last Modified: May 13, 2026
Vendor: Apache
Source: NVD

Description

In Apache Synapse, by default no authentication is required for Java Remote Method Invocation (RMI). So Apache Synapse 3.0.1 or all previous releases (3.0.0, 2.1.0, 2.0.0, 1.2, 1.1.2, 1.1.1) allows remote code execution attacks that can be performed by injecting specially crafted serialized objects. And the presence of Apache Commons Collections 3.2.1 (commons-collections-3.2.1.jar) or previous versions in Synapse distribution makes this exploitable. To mitigate the issue, we need to limit RMI access to trusted users only. Further upgrading to 3.0.1 version will eliminate the risk of having said Commons Collection version. In Synapse 3.0.1, Commons Collection has been updated to 3.2.2 version.

CWE

CWE-74

Affected Products

apache synapseoracle financial services market risk measurement and managementoracle peoplesoft enterprise peopletools

References

🔗 www.securityfocus.com 🔗 lists.apache.org 🔗 lists.apache.org 🔗 security.gentoo.org 🔗 www.oracle.com