Apache Camel security advisory: CVE-2015-5344
Severity
MEDIUMSummary
Apache Camel's XStream usage is vulnerable to Remote Code Execution attacks.Versions affected
2.15.0 up to 2.15.4, 2.16.0Versions fixed
2.15.5, 2.16.1 and newerDescription
Apache Camel's camel-xstream component is vulnerable to Java object de-serialisation vulnerability. Such as de-serializing untrusted data can lead to security flaws as demonstrated in various similar reports about Java de-serialization issues.Notes
The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-9297 refers to the various commits that resovoled the issue, and have more details.
A related xstream de-serialization vulnerability was recently reported for Apache ActiveMQ: http://activemq.apache.org/security-advisories.data/CVE-2015-5254-announcement.txt?version=1&modificationDate=1449589734000&api=v2
Mitigation
2.15.x users should upgrade to 2.15.5, 2.16.0 users should upgrade to 2.16.1. And if you are using camel-xstream to serialize payload to Java objects, then you need to explicitly list trusted packages. To see how to do that, please take a look at: http://camel.apache.org/xstreamCredit
This issue was discovered by Christian Schneider.References
- PGP signed advisory data: CVE-2015-5344.txt.asc
- Mitre CVE Entry: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5344