Apache Camel security advisory: CVE-2015-5344
SummaryApache Camel's XStream usage is vulnerable to Remote Code Execution attacks.
Versions affected2.15.0 up to 2.15.4, 2.16.0
Versions fixed2.15.5, 2.16.1 and newer
DescriptionApache Camel's camel-xstream component is vulnerable to Java object de-serialisation vulnerability. Such as de-serializing untrusted data can lead to security flaws as demonstrated in various similar reports about Java de-serialization issues.
The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-9297 refers to the various commits that resovoled the issue, and have more details.
A related xstream de-serialization vulnerability was recently reported for Apache ActiveMQ: http://activemq.apache.org/security-advisories.data/CVE-2015-5254-announcement.txt?version=1&modificationDate=1449589734000&api=v2
Mitigation2.15.x users should upgrade to 2.15.5, 2.16.0 users should upgrade to 2.16.1. And if you are using camel-xstream to serialize payload to Java objects, then you need to explicitly list trusted packages. To see how to do that, please take a look at: http://camel.apache.org/xstream
CreditThis issue was discovered by Christian Schneider.
- PGP signed advisory data: CVE-2015-5344.txt.asc
- Mitre CVE Entry: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5344