title: “Apache Camel Security Advisory - CVE-2015-5344” url: /security/CVE-2015-5344.html date: 2016-02-03T13:59:00.117000 draft: false type: security-advisory cve: CVE-2015-5344 severity: MEDIUM summary: “Apache Camel's XStream usage is vulnerable to Remote Code Execution attacks.” description: “Apache Camel's camel-xstream component is vulnerable to Java object de-serialisation vulnerability. Such as de-serializing untrusted data can lead to security flaws as demonstrated in various similar reports about Java de-serialization issues.” mitigation: “2.15.x users should upgrade to 2.15.5, 2.16.0 users should upgrade to 2.16.1. And if you are using camel-xstream to serialize payload to Java objects, then you need to explicitly list trusted packages. To see how to do that, please take a look at: http://camel.apache.org/xstream” credit: “This issue was discovered by Christian Schneider.” affected: 2.15.0 up to 2.15.4, 2.16.0 fixed: 2.15.5, 2.16.1 and newer

The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-9297 refers to the various commits that resovoled the issue, and have more details.

A related xstream de-serialization vulnerability was recently reported for Apache ActiveMQ: http://activemq.apache.org/security-advisories.data/CVE-2015-5254-announcement.txt?version=1&modificationDate=1449589734000&api=v2