content/security/CVE-2015-5348.md

title: “Apache Camel Security Advisory - CVE-2015-5348” url: /security/CVE-2015-5348.html date: 2016-04-15T11:59:00.110000 draft: false type: security-advisory cve: CVE-2015-5348 severity: MEDIUM summary: “Apache Camel's Jetty/Servlet usage is vulnerable to Java object de-serialisation vulnerability.” description: “Apache Camel's Jetty/Servlet usage is vulnerable to Java object de-serialisation vulnerability” mitigation: “2.15.x users should upgrade to 2.15.5, 2.16.0 users should upgrade to 2.16.1.” credit: “This issue was discovered by Sim Yih Tsern.” affected: 2.15.0 up to 2.15.4, 2.16.0 fixed: 2.15.5, 2.16.1 and newer

If using camel-jetty, or camel-servlet as a consumer in Camel routes, then Camel will automatic de-serialize HTTP requests that uses the content-header: application/x-java-serialized-object.

The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-9309 refers to the various commits that resovoled the issue.