From d67ebb81312e6b9cef601b2c45a6c558c29a3757 Mon Sep 17 00:00:00 2001 From: CVE Team Date: Mon, 8 Jan 2018 09:04:40 -0500 Subject: [PATCH] - Synchronized data. --- 2017/15xxx/CVE-2017-15708.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/2017/15xxx/CVE-2017-15708.json b/2017/15xxx/CVE-2017-15708.json index c724ddc8993..e5cfa5f84a4 100644 --- a/2017/15xxx/CVE-2017-15708.json +++ b/2017/15xxx/CVE-2017-15708.json @@ -50,7 +50,7 @@ "description_data" : [ { "lang" : "eng", - "value" : "Due to the presence of Apache Commons Collections 3.2.1 (commons-collections-3.2.1.jar) or previous versions, Apache Synapse 3.0.0 or all previous releases (3.0.0, 2.1.0, 2.0.0, 1.2, 1.1.2, 1.1.1) allows remote code execution attacks that can be performed by injecting specially crafted serialized objects. To mitigate the issue upgrading to 3.0.1 version is required. In Synapse 3.0.1 version, Commons Collection has been updated to 3.2.2 version which contains the fix for the above mentioned vulnerability." + "value" : "In Apache Synapse, by default no authentication is required for Java Remote Method Invocation (RMI). So Apache Synapse 3.0.1 or all previous releases (3.0.0, 2.1.0, 2.0.0, 1.2, 1.1.2, 1.1.1) allows remote code execution attacks that can be performed by injecting specially crafted serialized objects. And the presence of Apache Commons Collections 3.2.1 (commons-collections-3.2.1.jar) or previous versions in Synapse distribution makes this exploitable. To mitigate the issue, we need to limit RMI access to trusted users only. Further upgrading to 3.0.1 version will eliminate the risk of having said Commons Collection version. In Synapse 3.0.1, Commons Collection has been updated to 3.2.2 version." } ] },