Shulou(Shulou.com)06/01 Report--

What is the early warning of Apache Synapse remote code execution vulnerabilities? in view of this problem, this article introduces the corresponding analysis and solutions in detail, hoping to help more partners who want to solve this problem to find a more simple and easy way.

0x00 event background

Apache Synapse is a simple, lightweight, high-performance enterprise service bus (ESB), which is released under Apache Software Foundation's Apache License Version 2.0. Using Apache Synapse, you can filter, transform, route, manipulate, and monitor SOAP, binaries, XML, and plain text messages that pass through large enterprise systems through HTTP, HTTPS, Java ™Message Service (JMS), simple Mail transfer Protocol (SMTP), Post Office Protocol version 3 (POP3), FTP, file systems, and many other transport media.

On December 10, 2017, Apache officially disclosed a critical vulnerability in Apache Synapse (CVE-2017-15708) that could lead to remote code execution, which was subsequently analyzed and verified by 360CERT.

0x01 vulnerability description

The RMI service (port 1099) is opened by Apache Synapse after startup, and a deserialization vulnerability exists because the service does not validate the requested object type. At the same time, Apache Synapse uses the older version of the library commons-collections-3.2.1. Remote code execution can be achieved at deserialization by using the Gadget that exists in the library.

Use ysoserial to do a utilization verification

Due to the anti-sequence vulnerability in RMI, users who use a version of Java higher than 8u121, 7u131, 6u141 will not be affected by this vulnerability, because a deserialization filtering mechanism has been added in later versions.

Impact of 0x02 on the whole network

Affect the version

Apache Synapse 3.0.0, 2.1.0, 2.0.0, 1.2, 1.1.2, 1.1.1

Real-time display of data according to 360CERT network-wide asset retrieval platform

0x03 repair recommendation

1. Upgrade to the latest version 3.0.1

two。 Use a higher version of Java

This is the answer to the question about the early warning of Apache Synapse remote code execution vulnerabilities. I hope the above content can be of some help to you. If you still have a lot of doubts to be solved, you can follow the industry information channel for more related knowledge.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.