[jira] [Commented] (CAMEL-21571) camel-mina - Upgrade to 2.2.4

Thu, 26 Dec 2024 12:46:42 -0800 


    [ 
https://issues.apache.org/jira/browse/CAMEL-21571?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17908341#comment-17908341
 ] 

Claus Ibsen commented on CAMEL-21571:
-------------------------------------

For Camel 4.4.x we should also look at upgrading

> camel-mina - Upgrade to 2.2.4
> -----------------------------
>
>                 Key: CAMEL-21571
>                 URL: https://issues.apache.org/jira/browse/CAMEL-21571
>             Project: Camel
>          Issue Type: Dependency upgrade
>          Components: camel-mina
>            Reporter: Claus Ibsen
>            Assignee: Claus Ibsen
>            Priority: Major
>             Fix For: 4.8.3, 4.10.0
>
>
> h4. [Announce] Apache MINA 2.0.27, 2.1.0 and 2.2.4 release
> The MINA project is pleased to announce the MINA 2.2.4, 2.1.10 and 2.0.27 
> release. **MINA** applications using unbounded deserialization may allow 
> **RCE** (see [https://www.cve.org/CVERecord?id=CVE-2024-52046]). Affected 
> versions: - Apache MINA 2.0 through 2.0.26 - Apache MINA 2.1 through 2.1.9 - 
> Apache MINA 2.2 through 2.2.3 Description: The *ObjectSerializationDecoder* 
> in Apache **MINA** uses Java’s native deserialization protocol to process 
> incoming serialized data but lacks the necessary security checks and 
> defenses. This vulnerability allows attackers to exploit the deserialization 
> process by sending specially crafted malicious serialized data, potentially 
> leading to remote code execution (**RCE**) attacks. This issue affects 
> **MINA** core versions 2.0.X, 2.1.X and 2.2.X, and is fixed by the releases 
> 2.0.27, 2.1.10 and 2.2.4. It's also important to note that an application 
> using **MINA** core library will only be affected if the 
> *IoBuffer#getObject()* method is called, and this specific method is 
> potentially called when adding a *ProtocolCodecFilter* instance using the 
> *ObjectSerializationCodecFactory* class in the filter chain. If your 
> application is specifically using those classes, you have to upgrade to the 
> latest version of **MINA** core library. **Upgrading will not be enough: you 
> also need to explicitly allow the classes the decoder will accept in the 
> *ObjectSerializationDecoder* instance, using one of the three new methods:**



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to