Apache Camel Java Object Deserialization Vulnerabilities Fixed by 2.16.5, 2.17.5 and 2.18.2


Description   (#Two vulnerabilities have been identified in Apache Camel components.#A remote attacker could exploit them by sending a specially crafted Java object in order to execute arbitrary code with high privileges.##These vulnerabilities are located in:#- CVE-2016-8749: the "CamelJacksonUnmarshalType" method in Jackson and JacksonXML and is due to the possibility to specify the type of a Java serialized object##- CVE-2017-3159: Snakeyaml. This vulnerability stems from the possibility to de-serializing untrusted data.)
     
Vulnerable Products   Vulnerable Software:
Camel (Apache Software Foundation) - 2.10.0, 2.10.1, 2.10.2, 2.10.3, 2.10.4, ..., 2.17.2, 2.17.3, 2.17.4, 2.18.0, 2.18.1
     
Solution   Versions 2.16.5 (only for CVE-2016-8749), 2.17.5 and 2.18.2 of Apache Camel fix these vulnerabilities.
     
CVE   CVE-2017-3159
CVE-2016-8749
     
References   - Apache Camel : CVE-2016-8749: Apache Camel's Jackson and JacksonXML unmarshalling operation are vulnerable
to Remote Code Execution attacks
http://camel.apache.org/security-advisories.data/CVE-2016-8749.txt
- Apache Camel : CVE-2017-3159: Apache Camel's Snakeyaml unmarshalling operation is vulnerable
to Remote Code Execution attacks
http://camel.apache.org/security-advisories.data/CVE-2017-3159.txt
     
Vulnerability Manager Detection   No
     
IPS Protection  
ASQ Engine alarm Available Since
RCE attempt using Java serialized class known to be vulnerable to unsafe deserialization
5.0.0
Java serialized object injection attempt
5.0.0
     


 
 
 
 
 Risk level 
High 

 Vulnerability First Public Report Date 
2017-02-16 

 Target Type 
Server 

 Possible exploit 
Remote