content/security/CVE-2016-8749.txt.asc - camel-website - Git at Google

 -----BEGIN PGP SIGNED MESSAGE-----
 Hash: SHA1

 CVE-2016-8749: Apache Camel's Jackson and JacksonXML unmarshalling operation are vulnerable
 to Remote Code Execution attacks

 Severity: MEDIUM

 Vendor: The Apache Software Foundation

 Versions Affected: Camel 2.16.0 to 2.16.4, Camel 2.17.0 to 2.17.4, Camel 2.18.0 to 2.18.1
 The unsupported Camel 2.x (2.14 and earlier) versions may be also affected.

 Description: Apache Camel's camel-jackson and camel-jacksonxml components are vulnerable to Java object
 de-serialisation vulnerability. Camel allows to specify such a type through the 'CamelJacksonUnmarshalType'
 property. De-serializing untrusted data can lead to security flaws as demonstrated in various similar reports about Java de-serialization issues.

 Mitigation: 2.16.x users should upgrade to 2.16.5, 2.17.x users should upgrade to 2.17.5, 2.18.x users should
 upgrade to 2.18.2.

 The JIRA tickets: https://issues.apache.org/jira/browse/CAMEL-10567 and https://issues.apache.org/jira/browse/CAMEL-10604
 refers to the various commits that resovoled the issue, and have more details.

 Credit: This issue was discovered by Moritz Bechler from AgNO3 GmbH & Co.
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.22 (GNU/Linux)

 iQEcBAEBAgAGBQJYmy0QAAoJEONOnzgC/0EABM0H/2hA/LOWlYB9iatYjg054mqZ
 BxMgMrDbvapoTr/ga7FPgm48nTlWlI2Xw0chOV3ZMg1fgH/rCEAhaMQnEgyd4Aor
 tVl8GW43bKwiYv+QrTWmQLXeK4PJHtR8DP0LG7f2EDvwsFcRSo0yE5MmsrQFiWjM
 rXEZINqe56s60pgrdFU0aqsf37iciI9A/UYnOZeBHLQf9QaZv38AMVrTz1awRoX7
 R6b3RvYh0qjGcyYMVH7RDTZ8BS+XdX3GZVKTFPFTZgMjKofA/XDJiOsMJsE2rT+1
 eSOd3Gr2LTIgXAhX1BH1FBghoHXV7hxKmwYo1yT7Dqw2xpdANUtlaEhtTP/Dl9I=
 =/6Ky
 -----END PGP SIGNATURE-----
	-----BEGIN PGP SIGNED MESSAGE-----
	Hash: SHA1

	CVE-2016-8749: Apache Camel's Jackson and JacksonXML unmarshalling operation are vulnerable
	to Remote Code Execution attacks

	Severity: MEDIUM

	Vendor: The Apache Software Foundation

	Versions Affected: Camel 2.16.0 to 2.16.4, Camel 2.17.0 to 2.17.4, Camel 2.18.0 to 2.18.1
	The unsupported Camel 2.x (2.14 and earlier) versions may be also affected.

	Description: Apache Camel's camel-jackson and camel-jacksonxml components are vulnerable to Java object
	de-serialisation vulnerability. Camel allows to specify such a type through the 'CamelJacksonUnmarshalType'
	property. De-serializing untrusted data can lead to security flaws as demonstrated in various similar reports about Java de-serialization issues.

	Mitigation: 2.16.x users should upgrade to 2.16.5, 2.17.x users should upgrade to 2.17.5, 2.18.x users should
	upgrade to 2.18.2.

	The JIRA tickets: https://issues.apache.org/jira/browse/CAMEL-10567 and https://issues.apache.org/jira/browse/CAMEL-10604
	refers to the various commits that resovoled the issue, and have more details.

	Credit: This issue was discovered by Moritz Bechler from AgNO3 GmbH & Co.
	-----BEGIN PGP SIGNATURE-----
	Version: GnuPG v2.0.22 (GNU/Linux)

	iQEcBAEBAgAGBQJYmy0QAAoJEONOnzgC/0EABM0H/2hA/LOWlYB9iatYjg054mqZ
	BxMgMrDbvapoTr/ga7FPgm48nTlWlI2Xw0chOV3ZMg1fgH/rCEAhaMQnEgyd4Aor
	tVl8GW43bKwiYv+QrTWmQLXeK4PJHtR8DP0LG7f2EDvwsFcRSo0yE5MmsrQFiWjM
	rXEZINqe56s60pgrdFU0aqsf37iciI9A/UYnOZeBHLQf9QaZv38AMVrTz1awRoX7
	R6b3RvYh0qjGcyYMVH7RDTZ8BS+XdX3GZVKTFPFTZgMjKofA/XDJiOsMJsE2rT+1
	eSOd3Gr2LTIgXAhX1BH1FBghoHXV7hxKmwYo1yT7Dqw2xpdANUtlaEhtTP/Dl9I=
	=/6Ky
	-----END PGP SIGNATURE-----