title: “Apache Camel Security Advisory - CVE-2014-0003” url: /security/CVE-2014-0003.html date: 2014-03-21T00:38:59.057000 draft: false type: security-advisory cve: CVE-2014-0003 severity: CRITICAL summary: “The Apache Camel XSLT component allows XSL stylesheets to perform calls to external Java methods.” description: “The Apache Camel XSLT component allows XSL stylesheets to perform calls to external Java methods. A remote attacker able to submit messages to an xslt Camel route could use this flaw to perform arbitrary remote code execution in the context of the Camel server process.” mitigation: “2.11.x users should upgrade to 2.11.4, 2.12.x users should upgrade to 2.12.3. This patch will be included from Camel 2.13.0: https://git-wip-us.apache.org/repos/asf?p=camel.git;a=commitdiff;h=e922f89290f236f3107039de61af0375826bd96d” credit: “This issue was discovered by David Jorm.” affected: 2.11.0 up to 2.11.3, 2.12.0 up to 2.12.2 fixed: 2.11.4, 2.12.3, 2.13.0 and newer
Example: Create a simple route which receives an HTTP request, apply a (safe) stylesheet and store the result in a file:
<to uri="xslt:file:/tmp/transform.xsl" />
<to uri="file:/tmp/output" />
If an attacker is able to submit a message to this route, they can provide a message that is an XML document containing external entities. These entities will be resolved, and their contents included in the output of the transformation performed by the xslt route.