-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

CVE-2016-8749: Apache Camel's Jackson and JacksonXML unmarshalling operation are vulnerable
to Remote Code Execution attacks

Severity: MEDIUM

Vendor: The Apache Software Foundation

Versions Affected: Camel 2.16.0 to 2.16.4, Camel 2.17.0 to 2.17.4, Camel 2.18.0 to 2.18.1
The unsupported Camel 2.x (2.14 and earlier) versions may be also affected.

Description: Apache Camel's camel-jackson and camel-jacksonxml components are vulnerable to Java object
de-serialisation vulnerability. Camel allows to specify such a type through the 'CamelJacksonUnmarshalType'
property. De-serializing untrusted data can lead to security flaws as demonstrated in various similar reports about Java de-serialization issues.

Mitigation: 2.16.x users should upgrade to 2.16.5, 2.17.x users should upgrade to 2.17.5, 2.18.x users should
upgrade to 2.18.2. 

The JIRA tickets: https://issues.apache.org/jira/browse/CAMEL-10567 and https://issues.apache.org/jira/browse/CAMEL-10604
refers to the various commits that resovoled the issue, and have more details.

Credit: This issue was discovered by Moritz Bechler from AgNO3 GmbH & Co.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)

iQEcBAEBAgAGBQJYmy0QAAoJEONOnzgC/0EABM0H/2hA/LOWlYB9iatYjg054mqZ
BxMgMrDbvapoTr/ga7FPgm48nTlWlI2Xw0chOV3ZMg1fgH/rCEAhaMQnEgyd4Aor
tVl8GW43bKwiYv+QrTWmQLXeK4PJHtR8DP0LG7f2EDvwsFcRSo0yE5MmsrQFiWjM
rXEZINqe56s60pgrdFU0aqsf37iciI9A/UYnOZeBHLQf9QaZv38AMVrTz1awRoX7
R6b3RvYh0qjGcyYMVH7RDTZ8BS+XdX3GZVKTFPFTZgMjKofA/XDJiOsMJsE2rT+1
eSOd3Gr2LTIgXAhX1BH1FBghoHXV7hxKmwYo1yT7Dqw2xpdANUtlaEhtTP/Dl9I=
=/6Ky
-----END PGP SIGNATURE-----