CVE-2017-15708: Injection Vulnerability

December 11, 2017 (updated January 9, 2018)

In Apache Synapse, no authentication is required by default for Java Remote Method Invocation (RMI), resulting in Apache Synapse allowing remote code execution attacks that can be performed by injecting specially crafted serialized objects. The presence of Apache Commons Collections (commons-collections-3.2.1.jar) or previous versions in Synapse distribution makes this exploitable. To mitigate the issue, RMI access must be restricted to trusted users only.

References

www.securityfocus.com/bid/102154
nvd.nist.gov/vuln/detail/CVE-2017-15708

Detect and mitigate CVE-2017-15708 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →