This is an automated email from the ASF dual-hosted git repository. oscerd pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/camel-website.git
commit 1936adf3581cb56502ba25aa5282fbd4d0cfd024 Author: Andrea Cosentino <[email protected]> AuthorDate: Mon Jun 15 12:27:05 2026 +0200 Added CVE-2026-40859 Signed-off-by: Andrea Cosentino <[email protected]> --- content/security/CVE-2026-40859.md | 17 +++++++++++++++++ content/security/CVE-2026-40859.txt.asc | 31 +++++++++++++++++++++++++++++++ 2 files changed, 48 insertions(+) diff --git a/content/security/CVE-2026-40859.md b/content/security/CVE-2026-40859.md new file mode 100644 index 00000000..331bcb8d --- /dev/null +++ b/content/security/CVE-2026-40859.md @@ -0,0 +1,17 @@ +--- +title: "Apache Camel Security Advisory - CVE-2026-40859" +date: 2026-06-09T10:00:00+02:00 +url: /security/CVE-2026-40859.html +draft: false +type: security-advisory +cve: CVE-2026-40859 +severity: MEDIUM +summary: "Apache Camel: Camel-Vertx-Http and Camel-Netty-Http: Unsafe Java deserialization of HTTP response bodies via a raw ObjectInputStream when transferException is enabled" +description: "The camel-vertx-http and camel-netty-http components deserialize HTTP response bodies carrying the Content-Type application/x-java-serialized-object using a raw java.io.ObjectInputStream, without applying any ObjectInputFilter (VertxHttpHelper.deserializeJavaObjectFromStream and NettyHttpHelper.deserializeJavaObjectFromStream). This deserialization path is reached only when the producer endpoint is configured with transferException=true (or the component-level allowJavaSeri [...] +mitigation: "Users are recommended to upgrade to version 4.20.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. After upgrading, the deserialization performed by both helper utilities is constrained by a default ObjectInputFilter (allow-list java.**;javax.**;org.apache.camel.**;!*), which can be customised through the new deserial [...] +credit: "This issue was discovered by Venkatraman Kumar from Securin" +affected: "From 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.20.0." +fixed: 4.14.8, 4.18.3 and 4.20.0 +--- + +The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-23324 refers to the various commits that resolved the issue, and have more details. The fix was merged on main in https://github.com/apache/camel/pull/22613 (commit e735f56b4bcae040a6a113a83bf08d41b8696c43, released in 4.20.0) and backported to camel-4.18.x (commit a3835afef108fef9eaf04165faed91784889407f, PR #22637) and camel-4.14.x (commit 04019cf90a4b09e263d2df4ad4cacea85a9d72ee, PR #22768). Exploitation requires the non-def [...] diff --git a/content/security/CVE-2026-40859.txt.asc b/content/security/CVE-2026-40859.txt.asc new file mode 100644 index 00000000..49dada4d --- /dev/null +++ b/content/security/CVE-2026-40859.txt.asc @@ -0,0 +1,31 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +- --- +title: "Apache Camel Security Advisory - CVE-2026-40859" +date: 2026-06-09T10:00:00+02:00 +url: /security/CVE-2026-40859.html +draft: false +type: security-advisory +cve: CVE-2026-40859 +severity: MEDIUM +summary: "Apache Camel: Camel-Vertx-Http and Camel-Netty-Http: Unsafe Java deserialization of HTTP response bodies via a raw ObjectInputStream when transferException is enabled" +description: "The camel-vertx-http and camel-netty-http components deserialize HTTP response bodies carrying the Content-Type application/x-java-serialized-object using a raw java.io.ObjectInputStream, without applying any ObjectInputFilter (VertxHttpHelper.deserializeJavaObjectFromStream and NettyHttpHelper.deserializeJavaObjectFromStream). This deserialization path is reached only when the producer endpoint is configured with transferException=true (or the component-level allowJavaSeri [...] +mitigation: "Users are recommended to upgrade to version 4.20.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. After upgrading, the deserialization performed by both helper utilities is constrained by a default ObjectInputFilter (allow-list java.**;javax.**;org.apache.camel.**;!*), which can be customised through the new deserial [...] +credit: "This issue was discovered by Venkatraman Kumar from Securin" +affected: "From 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.20.0." +fixed: 4.14.8, 4.18.3 and 4.20.0 +- --- + +The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-23324 refers to the various commits that resolved the issue, and have more details. The fix was merged on main in https://github.com/apache/camel/pull/22613 (commit e735f56b4bcae040a6a113a83bf08d41b8696c43, released in 4.20.0) and backported to camel-4.18.x (commit a3835afef108fef9eaf04165faed91784889407f, PR #22637) and camel-4.14.x (commit 04019cf90a4b09e263d2df4ad4cacea85a9d72ee, PR #22768). Exploitation requires the non-def [...] +-----BEGIN PGP SIGNATURE----- + +iQEzBAEBCgAdFiEEJ2Y0ButtuvUpHyYV406fOAL/QQAFAmovy7sACgkQ406fOAL/ +QQDUsgf/VKtr0Ly6x5Hfj7x0Dpn3ZUJaSKW6Zk4pFpYstbxHXj5xKaHi4839gtJN +ygGgz9x7nQuRdsuAMZgeZb923OM2X87O4EyX+sNqAkDlSijMN3VNVgMyt4Wi5fbb +NlCaWTRVwcUoEfkuYm68wVXxfkO5ecbvJ06BmCL0fU1rVfSLWjHv3jWWMUYosneW +BdZ0f3L7iJaGxC/SldSxespbIx2q6STo1nRF6u9zb2BXGhA1tq5+ztXssd2eKB/z +32YPpog5R4ptnliA228FWR8Nr+m9mVjgfsKVgJT+fhGTiwVzln2KT+cueqmnvmsQ +lRSPYRYDNabYquXxH0AfJWgGWL/uMQ== +=RXFq +-----END PGP SIGNATURE-----
