-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

CVE-2013-4330: Apache Camel critical disclosure vulnerability

Severity: Critical

Vendor: The Apache Software Foundation

Versions Affected: Camel 2.9.0 to 2.9.7, Camel 2.10.0 to 2.10.6, Camel 2.11.0 to 2.11.1, Camel 2.12.0
The unsupported Camel 2.3.x, 2.4.x, 2.5.x, 2.6.x, 2.7.x and 2.8.x versions may be also affected.

Description: When sending an Exchange with the in Message Header 'CamelFileName' with a value of '$simple{...}' to a FILE or FTP producer, it will interpret the value as simple language expression which can be exploited by a malicious user.

Mitigation: 2.9.x users should upgrade to 2.9.8, 2.10.x users should upgrade to 2.10.7, 2.11.x users should upgrade to 2.11.2 and 2.12.0 users should upgrade to 2.12.1. This patch will be included from Camel 2.13.0: https://git-wip-us.apache.org/repos/asf?p=camel.git;a=commitdiff;h=27a9752a565fbef436bac4fcf22d339e3295b2a0

Example: Create a simple route which moves files from one directory to another, e.g.:
from("file:c:/tmp/in")
  .to("file:/c:/tmp/out");

If you are using Windows, create an file with a name like
"$simple{<some malicious code>}" (without the quotes)
and drop it into the "c:/tmp/in" directory. The file consumer will read and process this file. It will also set the Exchange in Message Header 'CamelFileName' with the value "$simple{<some malicious code>}". In the next step, the file producer will interpreted the value of this header as simple language expression and execute the malicious code.

Credit: This issue was discovered by Grégory Draperi.

References: http://camel.apache.org/security-advisories.html

-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.20 (Darwin)
Comment: GPGTools - http://gpgtools.org

iQIcBAEBAgAGBQJSSszOAAoJEImh9lEqI5wsaNEQAIoITjC6AWQru4H3Eqm7XmGJ
X2PGYY08XhwDGR7qqnIsYFHIqsSMoW+1YhQqZNV66zrU1hDgpFDz3dj3IaQUXpaE
9dI6B1eGvayF2GxoBnsc0Dua/43WdhWm9KBHrcGL3TQVEi3D7QmTv4Udsx3+5ita
xQcYrmrltdKDp8r08GHwFV1jZnafPEbJ5Vw/ATqHAb0hZ7ozv3c3iAqTkER++dzL
DL+gNKbN1eD8ZeixitQO4eirEkkiRlU8fC6dy+6e6Hra/0L16nyEmpsYWvx+mWnt
C+1fQQjmwZW/zV2tVqznc8mlVUYuttp3F4GDybYqPgMXlWC9Ri0JZWlNoXTZ0zak
f6KxcWqHvKs+LhCENFV2cnCtq2uHvGX0HMT4h/eVvGa/t/8gI2tgvaUtt0ylUNWn
a1znMCjDRwISlqu+jfSja7g1IydtvN1/tssfTMJjRDmng4mpGEa03iunVuwHFJv2
Y6khePzKKP4wXS5oQ9aMev039IKB2725R28iZ2YH2TolgjicAay8ulBGHq0jx0rm
QI5zVrAAdWdX3kYjDGED/70gVfhF6N0cG4wpZzT9RW0oYU0kFeTEPJN/1jg3u9Mc
Fm0FEDCOSRkX4OKKa5nQX8EL92Jz0g6YukPAaQyvegvbjvvMCSxgQbIwFyBh0Yt/
9JRZ0jp01139FFdpa+QM
=UpK9
-----END PGP SIGNATURE-----