title: “Apache Camel Security Advisory - CVE-2016-8749” url: /security/CVE-2016-8749.html date: 2017-03-28T14:59:00.143000 draft: false type: security-advisory cve: CVE-2016-8749 severity: MEDIUM summary: “Apache Camel's Jackson and JacksonXML unmarshalling operation are vulnerable to Remote Code Execution attacks” description: “Apache Camel's camel-jackson and camel-jacksonxml components are vulnerable to Java object de-serialisation vulnerability. Camel allows to specify such a type through the ‘CamelJacksonUnmarshalType’ property. De-serializing untrusted data can lead to security flaws as demonstrated in various similar reports about Java de-serialization issues.” mitigation: “2.16.x users should upgrade to 2.16.5, 2.17.x users should upgrade to 2.17.5, 2.18.x users should upgrade to 2.18.2.” credit: “This issue was discovered by Moritz Bechler from AgNO3 GmbH & Co.” affected: 2.16.0 up to 2.16.4, 2.17.0 up to 2.17.4, 2.18.0 up to 2.18.1 fixed: 2.16.5, 2.17.5, 2.18.2

The JIRA tickets: https://issues.apache.org/jira/browse/CAMEL-10567 and https://issues.apache.org/jira/browse/CAMEL-10604 refers to the various commits that resovoled the issue, and have more details.