| -----BEGIN PGP SIGNED MESSAGE----- |
| Hash: SHA1 |
| |
| CVE-2017-3159: Apache Camel's Snakeyaml unmarshalling operation is vulnerable |
| to Remote Code Execution attacks |
| |
| Severity: MEDIUM |
| |
| Vendor: The Apache Software Foundation |
| |
| Versions Affected: Camel 2.17.0 to 2.17.4, Camel 2.18.0 to 2.18.1 |
| The unsupported Camel 2.x (2.14 and earlier) versions may be also affected. |
| |
| Description: Apache Camel's camel-snakeyaml component is vulnerable to Java object |
| de-serialisation vulnerability. De-serializing untrusted data can lead to security flaws. |
| |
| Mitigation: 2.17.x users should upgrade to 2.17.5, 2.18.x users should upgrade to 2.18.2. |
| |
| The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-10575 |
| refers to the various commits that resovoled the issue, and have more details. |
| |
| Credit: This issue was discovered by Moritz Bechler from AgNO3 GmbH & Co. |
| -----BEGIN PGP SIGNATURE----- |
| Version: GnuPG v2.0.22 (GNU/Linux) |
| |
| iQEcBAEBAgAGBQJYmy8MAAoJEONOnzgC/0EAujYIAI7eOnnkKE7wcHXjMeqUUDrb |
| EyqEFaWuUWenUhx5PoVu2zQ0m9m1uRC3vzRQTJzZpN83WOlkDUlcXcJzLAWDy1AW |
| W9dHgDTaP2zbUIPKo4Zjy+pur9afirAMRasCS0NAWAETHVi54ZBpCFQVkxk72xdO |
| pLxAAnvTQfxbCfqEgTlzttU0ovaG4DOvAteQfpHZyjPxGaY3T15pAGK0ZOBvmd0T |
| jATx/Nk3CoSuC8n6ECAbBcenRtycRh6HwvA6HFDFpgR3EI/FOq2/ikG4bLyJdgTW |
| VsTmanwq4zKtlhQAAyQvfSJcr/7EoRL1k4Ui0D2oZvMat1fQnwOR13QQQmb73RU= |
| =U+u3 |
| -----END PGP SIGNATURE----- |