Apache Camel security advisory: CVE-2015-5348

Severity

MEDIUM

Summary

Apache Camel's Jetty/Servlet usage is vulnerable to Java object de-serialisation vulnerability.

Versions affected

2.15.0 up to 2.15.4, 2.16.0

Versions fixed

2.15.5, 2.16.1 and newer

Description

Apache Camel's Jetty/Servlet usage is vulnerable to Java object de-serialisation vulnerability

Notes

If using camel-jetty, or camel-servlet as a consumer in Camel routes, then Camel will automatic de-serialize HTTP requests that uses the content-header: application/x-java-serialized-object.

The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-9309 refers to the various commits that resovoled the issue.

Mitigation

2.15.x users should upgrade to 2.15.5, 2.16.0 users should upgrade to 2.16.1.

Credit

This issue was discovered by Sim Yih Tsern.

References

PGP signed advisory data: CVE-2015-5348.txt.asc
Mitre CVE Entry: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5348
Edit this Page Back to top