Remote code execution

2017-12-1115:29:00

PRIOn knowledge base

www.prio-n.com

9.8 High

AI Score

Confidence

High

0.026 Low

EPSS

Percentile

90.4%

JSON

In Apache Synapse, by default no authentication is required for Java Remote Method Invocation (RMI). So Apache Synapse 3.0.1 or all previous releases (3.0.0, 2.1.0, 2.0.0, 1.2, 1.1.2, 1.1.1) allows remote code execution attacks that can be performed by injecting specially crafted serialized objects. And the presence of Apache Commons Collections 3.2.1 (commons-collections-3.2.1.jar) or previous versions in Synapse distribution makes this exploitable. To mitigate the issue, we need to limit RMI access to trusted users only. Further upgrading to 3.0.1 version will eliminate the risk of having said Commons Collection version. In Synapse 3.0.1, Commons Collection has been updated to 3.2.2 version.

CPENameOperatorVersion
synapseeq3.0.0
synapseeq2.1.0
synapseeq2.0.0
synapseeq1.2
synapseeq1.1.2
synapseeq1.1.1
synapseeq1.0
synapseeq1.1
financial_services_market_risk_measurement_and_managementeq8.0.6
financial_services_market_risk_measurement_and_managementeq8.0.8

Name	Operator	Version
synapse	eq	3.0.0
synapse	eq	2.1.0
synapse	eq	2.0.0
synapse	eq	1.2
synapse	eq	1.1.2
synapse	eq	1.1.1
synapse	eq	1.0
synapse	eq	1.1
financial_services_market_risk_measurement_and_management	eq	8.0.6
financial_services_market_risk_measurement_and_management	eq	8.0.8