CVE-2017-15708

Name of the Vulnerable Software and Affected Versions Apache Synapse versions 1.1.1 through 3.0.1

Description The issue allows remote code execution attacks by injecting specially crafted serialized objects due to the lack of authentication for Java Remote Method Invocation (RMI) in Apache Synapse. The presence of Apache Commons Collections 3.2.1 or previous versions makes this exploitable.

Recommendations For Apache Synapse versions 1.1.1 through 3.0.0, limit RMI access to trusted users only as a temporary mitigation measure. For Apache Synapse versions 1.1.1 through 3.0.0, upgrade to version 3.0.1 to eliminate the risk associated with the vulnerable Commons Collection version. For Apache Synapse version 3.0.1, no additional action is required as Commons Collection has been updated to a non-vulnerable version.