| title | url | date | draft | type | cve | severity | summary | description | mitigation | credit | affected | fixed |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
Apache Camel Security Advisory - CVE-2016-8749 |
/security/CVE-2016-8749.html |
2017-03-28 07:59:00 -0700 |
false |
security-advisory |
CVE-2016-8749 |
MEDIUM |
Apache Camel's Jackson and JacksonXML unmarshalling operation are vulnerable to Remote Code Execution attacks |
Apache Camel's camel-jackson and camel-jacksonxml components are vulnerable to Java object de-serialisation vulnerability. Camel allows to specify such a type through the 'CamelJacksonUnmarshalType' property. De-serializing untrusted data can lead to security flaws as demonstrated in various similar reports about Java de-serialization issues. |
2.16.x users should upgrade to 2.16.5, 2.17.x users should upgrade to 2.17.5, 2.18.x users should upgrade to 2.18.2. |
This issue was discovered by Moritz Bechler from AgNO3 GmbH & Co. |
2.16.0 up to 2.16.4, 2.17.0 up to 2.17.4, 2.18.0 up to 2.18.1 |
2.16.5, 2.17.5, 2.18.2 |
The JIRA tickets: https://issues.apache.org/jira/browse/CAMEL-10567 and https://issues.apache.org/jira/browse/CAMEL-10604 refers to the various commits that resovoled the issue, and have more details.