漏洞编号:CNVD-2017-36700
漏洞编号:CVE-2017-15708
漏洞分析:https://www.javasec.cn/index.php/archives/117/ [Apache Synapse(CVE-2017-15708)远程命令执行漏洞分析]
// 今年年底抽出时间看Apache的Project,也顺利完成在年初的flag
Apache Synapse Remote Code Execution Vulnerability
Severity: Important
Vendor:
The Apache Software Foundation
Versions Affected:
3.0.0, 2.1.0, 2.0.0, 1.2, 1.1.2, 1.1.1
Description:
Due to the presence of Apache Commons Collections 3.2.1 (commons-collections-3.2.1.jar) or previous versions,
Apache Synapse 3.0.0 or all previous releases allows remote code execution attacks that can be performed by injecting specially crafted serialized objects.
Mitigation:
Upgrade to 3.0.1 version.
In Synapse 3.0.1 version, Commons Collection has been updated to 3.2.2 version which contains the fix for the above mentioned vulnerability.
Credit:
This issue was discovered by QingTeng cloud Security of Minded Security
Researcher jianan.huang
References:
https://commons.apache.org/proper/commons-collections/security-reports.html
https://nvd.nist.gov/vuln/detail/CVE-2017-15708
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15708
https://lists.apache.org/thread.html/77f2accf240d25d91b47033e2f8ebec84ffbc6e6627112b2f98b66c9@%3Cdev.synapse.apache.org%3E
http://seclists.org/oss-sec/2017/q4/378
http://www.openwall.com/lists/oss-security/2017/12/10/4