content/security/CVE-2014-0003.txt.asc - camel-website - Git at Google

 -----BEGIN PGP SIGNED MESSAGE-----
 Hash: SHA1

 CVE-2014-0003: Apache Camel critical disclosure vulnerability

 Severity: Critical

 Vendor: The Apache Software Foundation

 Versions Affected: Camel 2.11.0 to 2.11.3, Camel 2.12.0 to 2.12.2
 The unsupported Camel 2.3.x, 2.4.x, 2.5.x, 2.6.x, 2.7.x, 2.8.x, 2.9.x and 2.10.x versions may be also affected.

 Description: The Apache Camel XSLT component allows XSL stylesheets to perform calls to external Java methods. A remote attacker able to submit messages to an xslt Camel route could use this flaw to perform arbitrary remote code execution in the context of the Camel server process.

 Mitigation: 2.11.x users should upgrade to 2.11.4, 2.12.x users should upgrade to 2.12.3. This patch will be included from Camel 2.13.0: https://git-wip-us.apache.org/repos/asf?p=camel.git;a=commitdiff;h=e922f89290f236f3107039de61af0375826bd96d

 Example: Create a simple route which receives an HTTP request, apply a (safe) stylesheet and store the result in a file:
 <route>
   <from uri="servlet:///hello"/>
   <to uri="xslt:file:/tmp/transform.xsl" />
   <to uri="file:/tmp/output" />
 </route>

 If an attacker is able to submit a message to this route, they can change the XSLT stylesheet to use for this transfiormation. This stylesheet could be provided by a valid URL and could perform arbitrary remote code execution.

 Credit: This issue was discovered by David Jorm.

 References: http://camel.apache.org/security-advisories.html
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
 Comment: GPGTools - http://gpgtools.org

 iQIcBAEBAgAGBQJTENZYAAoJEImh9lEqI5wsHK0P/35/jWdyzENsaPmW6dlivhuq
 b1GAeMQL5gN/lws1VC0+2cQ0HGqOxLItzpse3P0gApMqRi7uGnFT+Amblc2tLvFv
 mPJa1Zdm1jjtANPx1oweb3i7VtWXwefBivQ+RxxhKfaru96Q20NK8d2u203+GK9Y
 fjQmKHTgUtkpNxKfEgbtkHpCOX1C8xrBs/+JWHhtZFEBQHpzbllO5M2ofrjyJIsL
 OaJsd8hVxPXRgyjGDjuSrEObnvszEYkABCbrUgVrTI0NxewUg3orKb1GQjSpw9D9
 YehQurloyHcoqzRkNZsGaeZtiKnCmbyXmii61EoopoWnUyF1lRC8iCgmvyQDpoto
 ZVmkhhVl4VON7wSii4A9p4RDBch/zi6rlq+OYx13ZRMqtP6v+hgGNIZiSZ7j4ZTa
 wHh/A6MTN44/rAefnu8f2IhXPeTmWznez1jCc2hL4v/p+s4ttVNM1KBZkm/6saBH
 VNOrmu46Tcl/cll/tSP5rC+P/LMmCMPdciuV/zSofHjvG5meJMl0a08dMvdNobZi
 zGAcHAr6qXiYy6qMMMbTbQu++JUUWnbtaFndWHs/ALOUP9zF+fky30JTu/h2/RuZ
 98RnR19XsfL+JgouLmFkP/HtA/qUjbaUHQIvJj6J0R+aR+ItszthGDnSNRXWg1LR
 hvVPgX0RU6vPWJoJ0Wd5
 =gxws
 -----END PGP SIGNATURE-----
	-----BEGIN PGP SIGNED MESSAGE-----
	Hash: SHA1

	CVE-2014-0003: Apache Camel critical disclosure vulnerability

	Severity: Critical

	Vendor: The Apache Software Foundation

	Versions Affected: Camel 2.11.0 to 2.11.3, Camel 2.12.0 to 2.12.2
	The unsupported Camel 2.3.x, 2.4.x, 2.5.x, 2.6.x, 2.7.x, 2.8.x, 2.9.x and 2.10.x versions may be also affected.

	Description: The Apache Camel XSLT component allows XSL stylesheets to perform calls to external Java methods. A remote attacker able to submit messages to an xslt Camel route could use this flaw to perform arbitrary remote code execution in the context of the Camel server process.

	Mitigation: 2.11.x users should upgrade to 2.11.4, 2.12.x users should upgrade to 2.12.3. This patch will be included from Camel 2.13.0: https://git-wip-us.apache.org/repos/asf?p=camel.git;a=commitdiff;h=e922f89290f236f3107039de61af0375826bd96d

	Example: Create a simple route which receives an HTTP request, apply a (safe) stylesheet and store the result in a file:
	<route>
	<from uri="servlet:///hello"/>
	<to uri="xslt:file:/tmp/transform.xsl" />
	<to uri="file:/tmp/output" />
	</route>

	If an attacker is able to submit a message to this route, they can change the XSLT stylesheet to use for this transfiormation. This stylesheet could be provided by a valid URL and could perform arbitrary remote code execution.

	Credit: This issue was discovered by David Jorm.

	References: http://camel.apache.org/security-advisories.html
	-----BEGIN PGP SIGNATURE-----
	Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
	Comment: GPGTools - http://gpgtools.org

	iQIcBAEBAgAGBQJTENZYAAoJEImh9lEqI5wsHK0P/35/jWdyzENsaPmW6dlivhuq
	b1GAeMQL5gN/lws1VC0+2cQ0HGqOxLItzpse3P0gApMqRi7uGnFT+Amblc2tLvFv
	mPJa1Zdm1jjtANPx1oweb3i7VtWXwefBivQ+RxxhKfaru96Q20NK8d2u203+GK9Y
	fjQmKHTgUtkpNxKfEgbtkHpCOX1C8xrBs/+JWHhtZFEBQHpzbllO5M2ofrjyJIsL
	OaJsd8hVxPXRgyjGDjuSrEObnvszEYkABCbrUgVrTI0NxewUg3orKb1GQjSpw9D9
	YehQurloyHcoqzRkNZsGaeZtiKnCmbyXmii61EoopoWnUyF1lRC8iCgmvyQDpoto
	ZVmkhhVl4VON7wSii4A9p4RDBch/zi6rlq+OYx13ZRMqtP6v+hgGNIZiSZ7j4ZTa
	wHh/A6MTN44/rAefnu8f2IhXPeTmWznez1jCc2hL4v/p+s4ttVNM1KBZkm/6saBH
	VNOrmu46Tcl/cll/tSP5rC+P/LMmCMPdciuV/zSofHjvG5meJMl0a08dMvdNobZi
	zGAcHAr6qXiYy6qMMMbTbQu++JUUWnbtaFndWHs/ALOUP9zF+fky30JTu/h2/RuZ
	98RnR19XsfL+JgouLmFkP/HtA/qUjbaUHQIvJj6J0R+aR+ItszthGDnSNRXWg1LR
	hvVPgX0RU6vPWJoJ0Wd5
	=gxws
	-----END PGP SIGNATURE-----