Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sun, 14 Jan 2018 11:21:57 +0530
From: Isuru Udana <isudana@...che.org>
To: security <security@...che.org>, dev@...apse.apache.org, user@...apse.apache.org, 
	jianan huang <sevcks@...il.com>, oss-security@...ts.openwall.com
Subject: Re: [CVE-2017-15708] Apache Synapse Remote Code Execution Vulnerability

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Update on this vulnerability

In Apache Synapse, by default no authentication is required for Java
Remote Method Invocation (RMI).
So Apache Synapse 3.0.1 or all previous releases (3.0.0, 2.1.0, 2.0.0,
1.2, 1.1.2, 1.1.1) allows remote code execution attacks that can be
performed by injecting specially crafted serialized objects.
And the presence of Apache Commons Collections 3.2.1
(commons-collections-3.2.1.jar) or previous versions in Synapse
distribution makes this exploitable.

To mitigate the issue, we need to limit RMI access to trusted users only.
To enforce authentication of users, we can configure a username and a
password by setting following two parameters in synapse.properties
file.

synapse.jmx.username
synapse.jmx.password

Further upgrading to 3.0.1 version will eliminate the risk of having
said Commons Collection version.
In Synapse 3.0.1, Commons Collection has been updated to 3.2.2 version.

-----BEGIN PGP SIGNATURE-----
Comment: MacGPG2 - http://www.gpgtools.org/macgpg2.html

iQIzBAEBCgAdFiEE3kfhRbRVsOy2YlAnVEJWkuNs5sMFAlpa70AACgkQVEJWkuNs
5sM3+hAArF09ZnJnAb7iHhaacmV83NiJc0htg/Eal0ZwE6JVZD8qbFHFhuAgB5be
+lvryDqAwQiPaXdS/wDoG9GyYQQX2YJVngKas4MJdCjelYFICkXeEtFbqam4cutY
2kixB1Gn+q3lcqjxIGVL8TPKgImZ6Mg4bu3w7L24KXVujChvUFWmuFHj4EDOe3OG
StGQcHaGgQoL9HQUH8ciibT7HtjDd2gzkkdvhmxshOY51uEBQxwUzCP+UhagcA1/
xEZNfZ/PeVi34ipoc206Uw7ZRGiCpBoabMTtCpkrvzal+edsQdXMdXUumkwOs7bd
b85jVWPO02NsDb9fjJTfNvqsEu9iTUdMNRKLOENL3mT33yYF35UaLaxclVO26D4K
ma6EJv1ss50T7mEXr1JbbEe0FOZqY6BsR4U0HPDIgynV3NMqN5/KzsKAc+Jy6Wp0
uMAakbXepZW1zRbS+UFo5Ex67MAQDnp25xiwrwputTel13lAwz0gWQISxmSCRNV/
qL9c+dB20wbQMGeSvMhfqtgQprCE55MoCvb8FEI52zROfLpVtM1DtQzhG4vKYnvo
kXrTdvpIeFn9S80RoqZfTHJ8u2rW+AJqw7nbvfEXtMhp117yVAJQKtRyGls2tAFj
utuqPtSazQZvf6nZnjK4Um/VkWEnwxajLrFl9cnODJa9zu629/k=
=/Vec
-----END PGP SIGNATURE-----

On Sun, Dec 10, 2017 at 7:31 PM, Isuru Udana <isudana@...che.org> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> CVE-2017-15708: Apache Synapse Remote Code Execution Vulnerability
>
> Severity: Important
>
> Vendor:
> The Apache Software Foundation
>
> Versions Affected:
> 3.0.0, 2.1.0, 2.0.0, 1.2, 1.1.2, 1.1.1
>
> Description:
>
> Due to the presence of Apache Commons Collections 3.2.1
> (commons-collections-3.2.1.jar) or previous versions,
> Apache Synapse 3.0.0 or all previous releases allows remote code
> execution attacks that can be performed by
> injecting specially crafted serialized objects.
>
> Mitigation:
> Upgrade to 3.0.1 version.
>     In Synapse 3.0.1 version, Commons Collection has been updated to
> 3.2.2 version which contains
>     the fix for the above mentioned vulnerability.
>
> Credit:
> This issue was discovered by QingTeng cloud Security of Minded Security
> Researcher jianan.huang
>
>
> References:
> https://commons.apache.org/proper/commons-collections/security-reports.html
>
> Isuru Udana
> VP, Apache Synapse
>
> -----BEGIN PGP SIGNATURE-----
> Comment: MacGPG2 - http://www.gpgtools.org/macgpg2.html
>
> iQIzBAEBCgAdFiEE3kfhRbRVsOy2YlAnVEJWkuNs5sMFAlotO40ACgkQVEJWkuNs
> 5sN+xg/+P/iHhK3JAULQy6JlLt7T2oUmd9EjEfpp6VimVTARPzywAzH39ZdeNEnq
> dd7eCjadE2CCR5QVcLNgTxyKIL6KDqOtBrJFksiZi5Q2kx0rMzbs1cz48POUd0NK
> DNFWngbLqMvY9kkkm7ioS3aXpZ99pdIpr9e11tqMj6ds2OOqUn5KpbEJvlBi3Htr
> QpD+Rp42myuHE6kHl5g9CR9fo42WyUvihuutpBv1+aWwR6CJaBSuN+H6tkrJQUqj
> StFk7nNG/RfsNHmlwCFORk3JYsaao8p1f4o4YTQAsaAu6u3frj29kt2RnSDyjt6m
> uQEkuRlmlb82xDh/3WxNbjoAIYGjrlEKEJxJtW6x0pZ9w3Hl7ccLRglclFmrenjx
> T0+aBF4S5DaYixaMZAS3OMFe86e+9MXLtdCUopWmq9Je+dDeLovfYvzTL6j4vyEF
> NsAfSpz9yJQ/e/3uYAyyaR31XoS5kmtQSDclGijR4YhPIc25P5/yVjwc63CNO2sv
> kb/wAecK+zVPJOIXYloW+IrLwUxmgz/UTd3Ogqg6xP+ClCTIIz4z9fsght0aULBV
> 0YR6bmzigYthMFWdFiQDsDvWYFXVyJjeyVFfyyxOUlUjIY5pqZq+moWYQJ90dV+B
> J3Bi10tFhyZBNzyAe1R4unBISx6WOE+wCdkoexTpmx6XGce63iU=
> =Z+d2
> -----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.