Claus Ibsen created CAMEL-21571:
-----------------------------------
Summary: camel-mina - Upgrade to 2.2.4
Key: CAMEL-21571
URL: https://issues.apache.org/jira/browse/CAMEL-21571
Project: Camel
Issue Type: Dependency upgrade
Components: camel-mina
Reporter: Claus Ibsen
Assignee: Claus Ibsen
Fix For: 4.10.0
h4. [Announce] Apache MINA 2.0.27, 2.1.0 and 2.2.4 release
The MINA project is pleased to announce the MINA 2.2.4, 2.1.10 and 2.0.27
release. **MINA** applications using unbounded deserialization may allow
**RCE** (see [https://www.cve.org/CVERecord?id=CVE-2024-52046]). Affected
versions: - Apache MINA 2.0 through 2.0.26 - Apache MINA 2.1 through 2.1.9 -
Apache MINA 2.2 through 2.2.3 Description: The *ObjectSerializationDecoder* in
Apache **MINA** uses Java’s native deserialization protocol to process incoming
serialized data but lacks the necessary security checks and defenses. This
vulnerability allows attackers to exploit the deserialization process by
sending specially crafted malicious serialized data, potentially leading to
remote code execution (**RCE**) attacks. This issue affects **MINA** core
versions 2.0.X, 2.1.X and 2.2.X, and is fixed by the releases 2.0.27, 2.1.10
and 2.2.4. It's also important to note that an application using **MINA** core
library will only be affected if the *IoBuffer#getObject()* method is called,
and this specific method is potentially called when adding a
*ProtocolCodecFilter* instance using the *ObjectSerializationCodecFactory*
class in the filter chain. If your application is specifically using those
classes, you have to upgrade to the latest version of **MINA** core library.
**Upgrading will not be enough: you also need to explicitly allow the classes
the decoder will accept in the *ObjectSerializationDecoder* instance, using one
of the three new methods:**
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
