[我的CVE][CVE-2017-15708]Apache Synapse Remote Code Execution Vulnerability

漏洞编号：CNVD-2017-36700

漏洞编号：CVE-2017-15708

漏洞分析：https://www.javasec.cn/index.php/archives/117/ [Apache Synapse(CVE-2017-15708)远程命令执行漏洞分析] 

// 今年年底抽出时间看Apache的Project,也顺利完成在年初的flag

 

Apache Synapse Remote Code Execution Vulnerability

 

Severity: Important 

 

Vendor:

The Apache Software Foundation

 

Versions Affected:

3.0.0, 2.1.0, 2.0.0, 1.2, 1.1.2, 1.1.1

 

Description:

 

Due to the presence of Apache Commons Collections 3.2.1 (commons-collections-3.2.1.jar) or previous versions, 

Apache Synapse 3.0.0 or all previous releases allows remote code execution attacks that can be performed by injecting specially crafted serialized objects.

 

Mitigation:

Upgrade to 3.0.1 version.

In Synapse 3.0.1 version, Commons Collection has been updated to 3.2.2 version which contains the fix for the above mentioned vulnerability.

 

Credit:

This issue was discovered by QingTeng cloud Security of Minded Security

Researcher jianan.huang  

 

References:

https://commons.apache.org/proper/commons-collections/security-reports.html

https://nvd.nist.gov/vuln/detail/CVE-2017-15708

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15708

https://lists.apache.org/thread.html/77f2accf240d25d91b47033e2f8ebec84ffbc6e6627112b2f98b66c9@%3Cdev.synapse.apache.org%3E

http://seclists.org/oss-sec/2017/q4/378

http://www.openwall.com/lists/oss-security/2017/12/10/4