Apache Camel security advisory: CVE-2015-5348
SummaryApache Camel's Jetty/Servlet usage is vulnerable to Java object de-serialisation vulnerability.
Versions affected2.15.0 up to 2.15.4, 2.16.0
Versions fixed2.15.5, 2.16.1 and newer
DescriptionApache Camel's Jetty/Servlet usage is vulnerable to Java object de-serialisation vulnerability
If using camel-jetty, or camel-servlet as a consumer in Camel routes, then Camel will automatic de-serialize HTTP requests that uses the content-header: application/x-java-serialized-object.
The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-9309 refers to the various commits that resovoled the issue.
Mitigation2.15.x users should upgrade to 2.15.5, 2.16.0 users should upgrade to 2.16.1.
CreditThis issue was discovered by Sim Yih Tsern.
- PGP signed advisory data: CVE-2015-5348.txt.asc
- Mitre CVE Entry: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5348