| -----BEGIN PGP SIGNED MESSAGE----- |
| Hash: SHA1 |
| |
| CVE-2016-8749: Apache Camel's Jackson and JacksonXML unmarshalling operation are vulnerable |
| to Remote Code Execution attacks |
| |
| Severity: MEDIUM |
| |
| Vendor: The Apache Software Foundation |
| |
| Versions Affected: Camel 2.16.0 to 2.16.4, Camel 2.17.0 to 2.17.4, Camel 2.18.0 to 2.18.1 |
| The unsupported Camel 2.x (2.14 and earlier) versions may be also affected. |
| |
| Description: Apache Camel's camel-jackson and camel-jacksonxml components are vulnerable to Java object |
| de-serialisation vulnerability. Camel allows to specify such a type through the 'CamelJacksonUnmarshalType' |
| property. De-serializing untrusted data can lead to security flaws as demonstrated in various similar reports about Java de-serialization issues. |
| |
| Mitigation: 2.16.x users should upgrade to 2.16.5, 2.17.x users should upgrade to 2.17.5, 2.18.x users should |
| upgrade to 2.18.2. |
| |
| The JIRA tickets: https://issues.apache.org/jira/browse/CAMEL-10567 and https://issues.apache.org/jira/browse/CAMEL-10604 |
| refers to the various commits that resovoled the issue, and have more details. |
| |
| Credit: This issue was discovered by Moritz Bechler from AgNO3 GmbH & Co. |
| -----BEGIN PGP SIGNATURE----- |
| Version: GnuPG v2.0.22 (GNU/Linux) |
| |
| iQEcBAEBAgAGBQJYmy0QAAoJEONOnzgC/0EABM0H/2hA/LOWlYB9iatYjg054mqZ |
| BxMgMrDbvapoTr/ga7FPgm48nTlWlI2Xw0chOV3ZMg1fgH/rCEAhaMQnEgyd4Aor |
| tVl8GW43bKwiYv+QrTWmQLXeK4PJHtR8DP0LG7f2EDvwsFcRSo0yE5MmsrQFiWjM |
| rXEZINqe56s60pgrdFU0aqsf37iciI9A/UYnOZeBHLQf9QaZv38AMVrTz1awRoX7 |
| R6b3RvYh0qjGcyYMVH7RDTZ8BS+XdX3GZVKTFPFTZgMjKofA/XDJiOsMJsE2rT+1 |
| eSOd3Gr2LTIgXAhX1BH1FBghoHXV7hxKmwYo1yT7Dqw2xpdANUtlaEhtTP/Dl9I= |
| =/6Ky |
| -----END PGP SIGNATURE----- |