Apache Camel security advisory: CVE-2015-5344

Severity

MEDIUM

Summary

Apache Camel's XStream usage is vulnerable to Remote Code Execution attacks.

Versions affected

2.15.0 up to 2.15.4, 2.16.0

Versions fixed

2.15.5, 2.16.1 and newer

Description

Apache Camel's camel-xstream component is vulnerable to Java object de-serialisation vulnerability. Such as de-serializing untrusted data can lead to security flaws as demonstrated in various similar reports about Java de-serialization issues.

Notes

The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-9297 refers to the various commits that resovoled the issue, and have more details.

A related xstream de-serialization vulnerability was recently reported for Apache ActiveMQ: http://activemq.apache.org/security-advisories.data/CVE-2015-5254-announcement.txt?version=1&modificationDate=1449589734000&api=v2

Mitigation

2.15.x users should upgrade to 2.15.5, 2.16.0 users should upgrade to 2.16.1. And if you are using camel-xstream to serialize payload to Java objects, then you need to explicitly list trusted packages. To see how to do that, please take a look at: http://camel.apache.org/xstream

Credit

This issue was discovered by Christian Schneider.

References

PGP signed advisory data: CVE-2015-5344.txt.asc
Mitre CVE Entry: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5344