PT-2017-9780 · Apache · Apache Camel
Moritz Bechler
·
Publicado
2017-03-28
·
Atualizado
2019-05-24
·
CVE-2016-8749
CVSS v3.1
9.8
Crítica
| Vetor | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Apache Camel versions prior to 2.16.5
Apache Camel versions prior to 2.17.5
Apache Camel versions prior to 2.18.2
Description
The issue concerns a Java object de-serialization vulnerability in Apache Camel's Jackson and JacksonXML unmarshalling operations, which can lead to Remote Code Execution attacks. De-serializing untrusted data can result in security flaws, as seen in similar Java de-serialization issues.
Recommendations
For versions prior to 2.16.5, upgrade to 2.16.5.
For versions prior to 2.17.5, upgrade to 2.17.5.
For versions prior to 2.18.2, upgrade to 2.18.2.
As a temporary workaround, consider restricting the use of the
CamelJacksonUnmarshalType property to minimize the risk of exploitation.Exploit
Correção
Deserialization of Untrusted Data
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Apache Camel