This is an automated email from the ASF dual-hosted git repository. acosentino pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/camel.git
commit afb5032b000258919e541800321b291af334339f Author: Andrea Cosentino <[email protected]> AuthorDate: Wed Sep 12 13:43:07 2018 +0200 Security Advisories: Porting to docs --- .../en/security-advisories/CVE-2016-8749.txt.asc | 35 ++++++++++++++++++++++ 1 file changed, 35 insertions(+) diff --git a/docs/user-manual/en/security-advisories/CVE-2016-8749.txt.asc b/docs/user-manual/en/security-advisories/CVE-2016-8749.txt.asc new file mode 100644 index 0000000..585eec1 --- /dev/null +++ b/docs/user-manual/en/security-advisories/CVE-2016-8749.txt.asc @@ -0,0 +1,35 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA1 + +CVE-2016-8749: Apache Camel's Jackson and JacksonXML unmarshalling operation are vulnerable +to Remote Code Execution attacks + +Severity: MEDIUM + +Vendor: The Apache Software Foundation + +Versions Affected: Camel 2.16.0 to 2.16.4, Camel 2.17.0 to 2.17.4, Camel 2.18.0 to 2.18.1 +The unsupported Camel 2.x (2.14 and earlier) versions may be also affected. + +Description: Apache Camel's camel-jackson and camel-jacksonxml components are vulnerable to Java object +de-serialisation vulnerability. Camel allows to specify such a type through the 'CamelJacksonUnmarshalType' +property. De-serializing untrusted data can lead to security flaws as demonstrated in various similar reports about Java de-serialization issues. + +Mitigation: 2.16.x users should upgrade to 2.16.5, 2.17.x users should upgrade to 2.17.5, 2.18.x users should +upgrade to 2.18.2. + +The JIRA tickets: https://issues.apache.org/jira/browse/CAMEL-10567 and https://issues.apache.org/jira/browse/CAMEL-10604 +refers to the various commits that resovoled the issue, and have more details. + +Credit: This issue was discovered by Moritz Bechler from AgNO3 GmbH & Co. +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2.0.22 (GNU/Linux) + +iQEcBAEBAgAGBQJYmy0QAAoJEONOnzgC/0EABM0H/2hA/LOWlYB9iatYjg054mqZ +BxMgMrDbvapoTr/ga7FPgm48nTlWlI2Xw0chOV3ZMg1fgH/rCEAhaMQnEgyd4Aor +tVl8GW43bKwiYv+QrTWmQLXeK4PJHtR8DP0LG7f2EDvwsFcRSo0yE5MmsrQFiWjM +rXEZINqe56s60pgrdFU0aqsf37iciI9A/UYnOZeBHLQf9QaZv38AMVrTz1awRoX7 +R6b3RvYh0qjGcyYMVH7RDTZ8BS+XdX3GZVKTFPFTZgMjKofA/XDJiOsMJsE2rT+1 +eSOd3Gr2LTIgXAhX1BH1FBghoHXV7hxKmwYo1yT7Dqw2xpdANUtlaEhtTP/Dl9I= +=/6Ky +-----END PGP SIGNATURE-----
