CVE-2017-15708— Apache Synapse 注入漏洞

N/A

In Apache Synapse, by default no authentication is required for Java Remote Method Invocation (RMI). So Apache Synapse 3.0.1 or all previous releases (3.0.0, 2.1.0, 2.0.0, 1.2, 1.1.2, 1.1.1) allows remote code execution attacks that can be performed by injecting specially crafted serialized objects. And the presence of Apache Commons Collections 3.2.1 (commons-collections-3.2.1.jar) or previous versions in Synapse distribution makes this exploitable. To mitigate the issue, we need to limit RMI access to trusted users only. Further upgrading to 3.0.1 version will eliminate the risk of having said Commons Collection version. In Synapse 3.0.1, Commons Collection has been updated to 3.2.2 version.

N/A

N/A

Apache Synapse 注入漏洞

Apache Synapse是美国阿帕奇（Apache）基金会的一款轻量级ESB（企业服务总线）。Apache Commons Collections是其中的一个提供了Java集合框架的库。 Apache Synapse中的Apache Commons Collections 3.2.1(commons-collections-3.2.1.jar)及之前的版本中存在注入漏洞。远程攻击者可通过注入特制的序列化对象利用该漏洞执行代码。以下版本受到影响：Apache Synapse 3.0.0版本，2.1.0版

N/A

N/A