CVE-2017-15708¶
WSO2 Products Impacted: No
Customers Actions Required: No
REPORTED VULNERABILITY¶
In Apache Synapse, by default no authentication is required for Java Remote Method Invocation (RMI). So Apache Synapse 3.0.1 or all previous releases (3.0.0, 2.1.0, 2.0.0, 1.2, 1.1.2, 1.1.1) allows remote code execution attacks that can be performed by injecting specially crafted serialized objects. And the presence of Apache Commons Collections 3.2.1 (commons-collections-3.2.1.jar) or previous versions in Synapse distribution makes this exploitable 1.
REPORTED PRODUCTS¶
- WSO2 API Manager : 2.6.0, 3.0.0, 3.1.0, 3.2.0, 4.0.0, 4.1.0, 4.2.0
- WSO2 Micro Integrator : 4.0.0, 4.1.0, 4.2.0, 4.3.0, 4.4.0
- WSO2 Enterprise Integrator : 6.6.0
WSO2 JUSTIFICATION¶
WSO2 products use synapse-core 2.1.7 which is forked from the original synapse repository. According to the CVE in consideration, the vulnerability is in the synapse distribution. However, our products contain only the core modules, not the server itself. WSO2 products use these implementations through Apache Commons Collections 3.2.2 and above. The RMI port is used for JMX monitoring in WSO2 products and this port has been secured with authentication. Only the admin users registered in the product's userstores can access the RMI ports for JMX monitoring.
Note
In Micro Integrator, JMX monitoring is disabled by default. Only the admin users registered in the MI userstore can access the RMI port for JMX monitoring if JMX monitoring is enabled.
CONCLUSION¶
- Synapse distribution is not used in WSO2 products. Instead, we use a forked version of synapse-core.
- RMI port is secured with authentication.
Therefore, WSO2 concludes that this is not an exploitable vulnerability in WSO2 products, and a synapse version upgrade will not be performed due to CVE-2017-15708.