Venkatraman Kumar

**Name of the Vulnerable Software and Affected Versions** Apache CXF versions prior to 4.2.2 Apache CXF versions prior to 4.1.7 **Description** The `EndpointReferenceUtils` and `W3CMultiSchemaFactory` classes construct a `SAXParserFactory` without the required JAXP hardening configurations. This allows for out-of-band (OOB) external entity resolution, a process where an XML parser is tricked into accessing external resources via external entities. **Recommendations** Upgrade to version 4.2.2. Upgrade to version 4.1.7.

**Name of the Vulnerable Software and Affected Versions** Apache Fory fory-core versions prior to 1.1.0 **Description** Deserialization of untrusted data in the Java replace-resolve path on Java/JVM platforms allows a remote attacker to bypass class registration, TypeChecker, and DisallowedList checks. By using crafted Fory serialized data, an attacker can invoke `readResolve()` and `readExternal()` hooks present on the classpath. **Recommendations** Upgrade to version 1.1.0 or later.

**Name of the Vulnerable Software and Affected Versions** Apache Camel versions 3.0.0 through 4.14.6 Apache Camel versions 4.15.0 through 4.18.1 Apache Camel versions 4.19.0 through 4.19.x **Description** The `extractBodyFromJms()` function in `camel-jms` and the `JmsBinding` class in `camel-sjms` deserialize the payload of incoming JMS ObjectMessage values via `javax.jms.ObjectMessage.getObject()` without using an ObjectInputFilter, class allowlist, or class denylist. This occurs when the `mapJmsMessage` option is enabled and the application acts as a JMS consumer. An attacker could publish a crafted ObjectMessage to a queue or topic to achieve remote code execution if a deserialization gadget chain is present on the classpath. This issue also affects `camel-sjms2`, `camel-amqp`, `camel-activemq`, and `camel-activemq6`. **Recommendations** Upgrade to version 4.14.7 for those on the 4.14.x LTS releases stream. Upgrade to version 4.18.2 for those on the 4.18.x releases stream. Upgrade to version 4.20.0 for all other affected versions.

**Name of the Vulnerable Software and Affected Versions** Apache Camel versions 4.19.0 through 4.19.x Apache Camel versions 4.18.0 through 4.18.1 **Description** The Camel-PQC `FileBasedKeyLifecycleManager` class deserializes the contents of `<keyId>.key` files in the configured key directory using `java.io.ObjectInputStream` without applying an `ObjectInputFilter` or class-loading restrictions. Because the cast to `java.security.KeyPair` occurs only after the `readObject()` function has returned, any side effects within the deserialized object are executed before the type check. An attacker with write access to the key directory—potentially achieved via path traversal, misconfigured filesystem permissions, a compromised key provisioning pipeline, or a symlink attack—can place a crafted serialized Java object to achieve arbitrary code execution within the application context. **Recommendations** Upgrade to version 4.20.0. Upgrade to version 4.18.2 for users on the 4.18.x LTS releases stream.

**Name of the Vulnerable Software and Affected Versions** Apache MINA versions 2.0.0 through 2.0.27 Apache MINA versions 2.1.0 through 2.1.10 Apache MINA versions 2.2.0 through 2.2.5 **Description** An issue exists in the `getObject()` function of the `AbstractIoBuffer` class due to an incomplete deserialization mechanism. The classname allowlist, which restricts which classes can be deserialized, is applied too late, potentially allowing a static initializer in a class to be executed before the check occurs. This flaw allows a remote attacker to execute arbitrary code on applications that call the `getObject()` function. **Recommendations** Update to version 2.0.28 for versions 2.0.0 through 2.0.27. Update to version 2.1.11 for versions 2.1.0 through 2.1.10. Update to version 2.2.6 for versions 2.2.0 through 2.2.5. As a temporary workaround, restrict the use of the `getObject()` function.

**Name of the Vulnerable Software and Affected Versions** Apache MINA versions 2.0.0 through 2.0.27 Apache MINA versions 2.1.0 through 2.1.10 Apache MINA versions 2.2.0 through 2.2.5 **Description** A flaw in the `resolveClass()` function of `AbstractIoBuffer` allows a bypass of the classname allowlist for static classes or primitive types. This occurs because one of the execution branches fails to validate the class, enabling unsafe deserialization when applications call `IoBuffer.getObject()`. This can lead to remote code execution. **Recommendations** Upgrade to version 2.0.28 for versions 2.0.0 through 2.0.27. Upgrade to version 2.1.11 for versions 2.1.0 through 2.1.10. Upgrade to version 2.2.6 for versions 2.2.0 through 2.2.5.

**Name of the Vulnerable Software and Affected Versions** Apache Camel versions 3.0.0 through 4.14.5 Apache Camel versions 4.15.0 through 4.18.1 Apache Camel versions 4.19.0 through 4.19.9 **Description** The `camel-mina` component contains a flaw in the `MinaConverter.toObjectInput(IoBuffer)` function where it wraps an `IoBuffer` in a `java.io.ObjectInputStream` without implementing an `ObjectInputFilter` or class-loading restrictions. When a Camel route utilizes `camel-mina` as a TCP or UDP consumer and requests conversion to `ObjectInput` (such as through `getBody(ObjectInput.class)` or `@Body ObjectInput`), a remote attacker can send a crafted serialized Java object to the MINA consumer port. This can lead to arbitrary code execution within the application context during the `readObject()` process due to unsafe deserialization. **Recommendations** Upgrade to version 4.14.6 for those on the 4.14.x LTS releases stream. Upgrade to version 4.18.2 for those on the 4.18.x releases stream. Upgrade to version 4.20.0 for all other affected versions.