[我的CVE][CVE-2017-15708]Apache Synapse Remote Code Execution Vulnerability

漏洞编号:CNVD-2017-36700
漏洞编号:CVE-2017-15708
漏洞分析:https://www.javasec.cn/index.php/archives/117/ [Apache Synapse(CVE-2017-15708)远程命令执行漏洞分析] 
// 今年年底抽出时间看Apache的Project,也顺利完成在年初的flag
 
Apache Synapse Remote Code Execution Vulnerability
 
Severity: Important 
 
Vendor:
The Apache Software Foundation
 
Versions Affected:
3.0.0, 2.1.0, 2.0.0, 1.2, 1.1.2, 1.1.1
 
Description:
 
Due to the presence of Apache Commons Collections 3.2.1 (commons-collections-3.2.1.jar) or previous versions, 
Apache Synapse 3.0.0 or all previous releases allows remote code execution attacks that can be performed by injecting specially crafted serialized objects.
 
Mitigation:
Upgrade to 3.0.1 version.
In Synapse 3.0.1 version, Commons Collection has been updated to 3.2.2 version which contains the fix for the above mentioned vulnerability.
 
Credit:
This issue was discovered by QingTeng cloud Security of Minded Security
Researcher jianan.huang  
 
References:
https://commons.apache.org/proper/commons-collections/security-reports.html
https://nvd.nist.gov/vuln/detail/CVE-2017-15708
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15708
https://lists.apache.org/thread.html/77f2accf240d25d91b47033e2f8ebec84ffbc6e6627112b2f98b66c9@%3Cdev.synapse.apache.org%3E
http://seclists.org/oss-sec/2017/q4/378
http://www.openwall.com/lists/oss-security/2017/12/10/4
posted @   sevck  阅读(814)  评论(0编辑  收藏  举报
编辑推荐:
· 智能桌面机器人:用.NET IoT库控制舵机并多方法播放表情
· Linux glibc自带哈希表的用例及性能测试
· 深入理解 Mybatis 分库分表执行原理
· 如何打造一个高并发系统?
· .NET Core GC压缩(compact_phase)底层原理浅谈
阅读排行:
· 新年开篇:在本地部署DeepSeek大模型实现联网增强的AI应用
· DeepSeek火爆全网,官网宕机?本地部署一个随便玩「LLM探索」
· Janus Pro:DeepSeek 开源革新,多模态 AI 的未来
· 上周热点回顾(1.20-1.26)
· 【译】.NET 升级助手现在支持升级到集中式包管理
历史上的今天:
2015-12-10 LINUX DIFF命令详解
2015-12-10 【转】Haproxy安装及配置
点击右上角即可分享
微信分享提示