oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [CVE-2017-15708] Apache Synapse Remote Code Execution Vulnerability

From: Isuru Udana <isudana () apache org>
Date: Sun, 14 Jan 2018 11:21:57 +0530
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Update on this vulnerability

In Apache Synapse, by default no authentication is required for Java
Remote Method Invocation (RMI).
So Apache Synapse 3.0.1 or all previous releases (3.0.0, 2.1.0, 2.0.0,
1.2, 1.1.2, 1.1.1) allows remote code execution attacks that can be
performed by injecting specially crafted serialized objects.
And the presence of Apache Commons Collections 3.2.1
(commons-collections-3.2.1.jar) or previous versions in Synapse
distribution makes this exploitable.

To mitigate the issue, we need to limit RMI access to trusted users only.
To enforce authentication of users, we can configure a username and a
password by setting following two parameters in synapse.properties
file.

synapse.jmx.username
synapse.jmx.password

Further upgrading to 3.0.1 version will eliminate the risk of having
said Commons Collection version.
In Synapse 3.0.1, Commons Collection has been updated to 3.2.2 version.

-----BEGIN PGP SIGNATURE-----
Comment: MacGPG2 - http://www.gpgtools.org/macgpg2.html

iQIzBAEBCgAdFiEE3kfhRbRVsOy2YlAnVEJWkuNs5sMFAlpa70AACgkQVEJWkuNs
5sM3+hAArF09ZnJnAb7iHhaacmV83NiJc0htg/Eal0ZwE6JVZD8qbFHFhuAgB5be
+lvryDqAwQiPaXdS/wDoG9GyYQQX2YJVngKas4MJdCjelYFICkXeEtFbqam4cutY
2kixB1Gn+q3lcqjxIGVL8TPKgImZ6Mg4bu3w7L24KXVujChvUFWmuFHj4EDOe3OG
StGQcHaGgQoL9HQUH8ciibT7HtjDd2gzkkdvhmxshOY51uEBQxwUzCP+UhagcA1/
xEZNfZ/PeVi34ipoc206Uw7ZRGiCpBoabMTtCpkrvzal+edsQdXMdXUumkwOs7bd
b85jVWPO02NsDb9fjJTfNvqsEu9iTUdMNRKLOENL3mT33yYF35UaLaxclVO26D4K
ma6EJv1ss50T7mEXr1JbbEe0FOZqY6BsR4U0HPDIgynV3NMqN5/KzsKAc+Jy6Wp0
uMAakbXepZW1zRbS+UFo5Ex67MAQDnp25xiwrwputTel13lAwz0gWQISxmSCRNV/
qL9c+dB20wbQMGeSvMhfqtgQprCE55MoCvb8FEI52zROfLpVtM1DtQzhG4vKYnvo
kXrTdvpIeFn9S80RoqZfTHJ8u2rW+AJqw7nbvfEXtMhp117yVAJQKtRyGls2tAFj
utuqPtSazQZvf6nZnjK4Um/VkWEnwxajLrFl9cnODJa9zu629/k=
=/Vec
-----END PGP SIGNATURE-----

On Sun, Dec 10, 2017 at 7:31 PM, Isuru Udana <isudana () apache org> wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

CVE-2017-15708: Apache Synapse Remote Code Execution Vulnerability

Severity: Important

Vendor:
The Apache Software Foundation

Versions Affected:
3.0.0, 2.1.0, 2.0.0, 1.2, 1.1.2, 1.1.1

Description:

Due to the presence of Apache Commons Collections 3.2.1
(commons-collections-3.2.1.jar) or previous versions,
Apache Synapse 3.0.0 or all previous releases allows remote code
execution attacks that can be performed by
injecting specially crafted serialized objects.

Mitigation:
Upgrade to 3.0.1 version.
    In Synapse 3.0.1 version, Commons Collection has been updated to
3.2.2 version which contains
    the fix for the above mentioned vulnerability.

Credit:
This issue was discovered by QingTeng cloud Security of Minded Security
Researcher jianan.huang


References:
https://commons.apache.org/proper/commons-collections/security-reports.html

Isuru Udana
VP, Apache Synapse

-----BEGIN PGP SIGNATURE-----
Comment: MacGPG2 - http://www.gpgtools.org/macgpg2.html

iQIzBAEBCgAdFiEE3kfhRbRVsOy2YlAnVEJWkuNs5sMFAlotO40ACgkQVEJWkuNs
5sN+xg/+P/iHhK3JAULQy6JlLt7T2oUmd9EjEfpp6VimVTARPzywAzH39ZdeNEnq
dd7eCjadE2CCR5QVcLNgTxyKIL6KDqOtBrJFksiZi5Q2kx0rMzbs1cz48POUd0NK
DNFWngbLqMvY9kkkm7ioS3aXpZ99pdIpr9e11tqMj6ds2OOqUn5KpbEJvlBi3Htr
QpD+Rp42myuHE6kHl5g9CR9fo42WyUvihuutpBv1+aWwR6CJaBSuN+H6tkrJQUqj
StFk7nNG/RfsNHmlwCFORk3JYsaao8p1f4o4YTQAsaAu6u3frj29kt2RnSDyjt6m
uQEkuRlmlb82xDh/3WxNbjoAIYGjrlEKEJxJtW6x0pZ9w3Hl7ccLRglclFmrenjx
T0+aBF4S5DaYixaMZAS3OMFe86e+9MXLtdCUopWmq9Je+dDeLovfYvzTL6j4vyEF
NsAfSpz9yJQ/e/3uYAyyaR31XoS5kmtQSDclGijR4YhPIc25P5/yVjwc63CNO2sv
kb/wAecK+zVPJOIXYloW+IrLwUxmgz/UTd3Ogqg6xP+ClCTIIz4z9fsght0aULBV
0YR6bmzigYthMFWdFiQDsDvWYFXVyJjeyVFfyyxOUlUjIY5pqZq+moWYQJ90dV+B
J3Bi10tFhyZBNzyAe1R4unBISx6WOE+wCdkoexTpmx6XGce63iU=
=Z+d2
-----END PGP SIGNATURE-----
Previous By Date Next
Previous By Thread Next

Current thread: