Apache Camel security advisory: CVE-2017-5643
SummaryApache Camel's Validation Component is vulnerable against SSRF via remote DTDs and XXE
Versions affected2.17.0 up to 2.17.5, 2.18.0 up to 2.18.2
Versions fixed2.17.6, 2.18.3 and newer
DescriptionThe Validation Component of Apache Camel evaluates DTD headers of XML stream sources, although a validation against XML schemas (XSD) is executed. Remote attackers can use this feature to make Server-Side Request Forgery (SSRF) attacks by sending XML documents with remote DTDs URLs or XML External Entities (XXE). The vulnerability is not given for SAX or StAX sources.
The JIRA tickets https://issues.apache.org/jira/browse/CAMEL-10894 refers to the various commits that resolved the issue, and have more details.
Mitigation2.17.x users should upgrade to 2.17.6, 2.18.x users should upgrade to 2.18.3.
CreditThis issue was discovered by Franz Forsthofer
- PGP signed advisory data: CVE-2017-5643.txt.asc
- Mitre CVE Entry: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5643