Apache Camel security advisory: CVE-2014-0003
SummaryThe Apache Camel XSLT component allows XSL stylesheets to perform calls to external Java methods.
Versions affected2.11.0 up to 2.11.3, 2.12.0 up to 2.12.2
Versions fixed2.11.4, 2.12.3, 2.13.0 and newer
DescriptionThe Apache Camel XSLT component allows XSL stylesheets to perform calls to external Java methods. A remote attacker able to submit messages to an xslt Camel route could use this flaw to perform arbitrary remote code execution in the context of the Camel server process.
Example: Create a simple route which receives an HTTP request, apply a (safe) stylesheet and store the result in a file:
<route> <from uri="servlet:///hello"/> <to uri="xslt:file:/tmp/transform.xsl" /> <to uri="file:/tmp/output" /> </route>
If an attacker is able to submit a message to this route, they can provide a message that is an XML document containing external entities. These entities will be resolved, and their contents included in the output of the transformation performed by the xslt route.
Mitigation2.11.x users should upgrade to 2.11.4, 2.12.x users should upgrade to 2.12.3. This patch will be included from Camel 2.13.0: https://git-wip-us.apache.org/repos/asf?p=camel.git;a=commitdiff;h=e922f89290f236f3107039de61af0375826bd96d
CreditThis issue was discovered by David Jorm.
- PGP signed advisory data: CVE-2014-0003.txt.asc
- Mitre CVE Entry: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0003