GoogleOSV:GHSA-VVJC-Q5VR-52Q6Apache Camel's Jackson and JacksonXML unmarshalling operation are vulnerable to Remote Code Execution attacks
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.5 High
AI Score
Confidence
High
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.088 Low
EPSS
Percentile
94.4%
Apache Camel’s camel-jackson and camel-jacksonxml components are vulnerable to Java object
de-serialisation vulnerability. Camel allows to specify such a type through the ‘CamelJacksonUnmarshalType’
property. De-serializing untrusted data can lead to security flaws as demonstrated in various similar reports about Java de-serialization issues.
Mitigation: 2.16.x users should upgrade to 2.16.5, 2.17.x users should upgrade to 2.17.5, 2.18.x users should
upgrade to 2.18.2.
The JIRA tickets: https://issues.apache.org/jira/browse/CAMEL-10567 and https://issues.apache.org/jira/browse/CAMEL-10604
refers to the various commits that resovoled the issue, and have more details.
References
camel.apache.org/security-advisories.data/CVE-2016-8749.txt.asc?version=2&modificationDate=1486565034000&api=v2
www.openwall.com/lists/oss-security/2017/05/22/2
www.securityfocus.com/bid/97179
access.redhat.com/errata/RHSA-2017:1832
github.com/advisories/GHSA-vvjc-q5vr-52q6
github.com/apache/camel
github.com/apache/camel/commit/10f552643d7e4565104d142bbc160db5a30f9f7e
github.com/apache/camel/commit/235036d2396ae45b6809b72a1983dee33b5ba326
github.com/apache/camel/commit/2b0e96117d6f01eba0c18e2ff8df6a438e819721
github.com/apache/camel/commit/57d01e2fc8923263df896e9810329ee5b7f9b69e
github.com/apache/camel/commit/5ae9c0dcc4843347cd01ffb58ce5dd0687755a14
github.com/apache/camel/commit/7567488f844f01d72840f7ab6ca18114a11f20d8
github.com/apache/camel/commit/83fef7108456eeac1506853d194cd1360851c4fe
github.com/apache/camel/commit/881e5099f94316d4a66ffbff0a3e6915829d49d7
github.com/apache/camel/commit/8c862aa11e31d0f804c4a4516a0715e05e3eebcf
github.com/apache/camel/commit/abb45b2c2ada2bbb34138230540b37d259c1e98d
github.com/apache/camel/commit/ccf149c76bf37adc5977dc626e141a14e60b5aee
github.com/apache/camel/commit/d4102512147eca2af21c3b6ed63a67d852f4e66a
issues.apache.org/jira/browse/CAMEL-10567
issues.apache.org/jira/browse/CAMEL-10604
lists.apache.org/thread.html/2318d7f7d87724d8716cd650c21b31cb06e4d34f6d0f5ee42f28fdaf@%3Ccommits.camel.apache.org%3E
lists.apache.org/thread.html/b4014ea7c5830ca1fc28edd5cafedfe93ad4af2d9e69c961c5def31d@%3Ccommits.camel.apache.org%3E
nvd.nist.gov/vuln/detail/CVE-2016-8749
www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf?raw=true
Related
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.5 High
AI Score
Confidence
High
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.088 Low
EPSS
Percentile
94.4%