[我的CVE][CVE-2017-15708]Apache Synapse Remote Code Execution Vulnerability
漏洞编号:CNVD-2017-36700
漏洞编号:CVE-2017-15708
漏洞分析:https://www.javasec.cn/index.php/archives/117/ [Apache Synapse(CVE-2017-15708)远程命令执行漏洞分析]
// 今年年底抽出时间看Apache的Project,也顺利完成在年初的flag
Apache Synapse Remote Code Execution Vulnerability
Severity: Important
Vendor:
The Apache Software Foundation
Versions Affected:
3.0.0, 2.1.0, 2.0.0, 1.2, 1.1.2, 1.1.1
Description:
Due to the presence of Apache Commons Collections 3.2.1 (commons-collections-3.2.1.jar) or previous versions,
Apache Synapse 3.0.0 or all previous releases allows remote code execution attacks that can be performed by injecting specially crafted serialized objects.
Mitigation:
Upgrade to 3.0.1 version.
In Synapse 3.0.1 version, Commons Collection has been updated to 3.2.2 version which contains the fix for the above mentioned vulnerability.
Credit:
This issue was discovered by QingTeng cloud Security of Minded Security
Researcher jianan.huang
References:
https://commons.apache.org/proper/commons-collections/security-reports.html
https://nvd.nist.gov/vuln/detail/CVE-2017-15708
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15708
https://lists.apache.org/thread.html/77f2accf240d25d91b47033e2f8ebec84ffbc6e6627112b2f98b66c9@%3Cdev.synapse.apache.org%3E
http://seclists.org/oss-sec/2017/q4/378
http://www.openwall.com/lists/oss-security/2017/12/10/4
【版权所有@Sevck 博客地址http://www.cnblogs.com/sevck】 可以转载,注明出处.
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】凌霞软件回馈社区,博客园 & 1Panel & Halo 联合会员上线
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步
· 智能桌面机器人:用.NET IoT库控制舵机并多方法播放表情
· Linux glibc自带哈希表的用例及性能测试
· 深入理解 Mybatis 分库分表执行原理
· 如何打造一个高并发系统?
· .NET Core GC压缩(compact_phase)底层原理浅谈
· 新年开篇:在本地部署DeepSeek大模型实现联网增强的AI应用
· DeepSeek火爆全网,官网宕机?本地部署一个随便玩「LLM探索」
· Janus Pro:DeepSeek 开源革新,多模态 AI 的未来
· 上周热点回顾(1.20-1.26)
· 【译】.NET 升级助手现在支持升级到集中式包管理
2015-12-10 LINUX DIFF命令详解
2015-12-10 【转】Haproxy安装及配置