David Jorm created CAMEL-7322:
---------------------------------
Summary: Routes using serialized data formats could expose
security issues
Key: CAMEL-7322
URL: https://issues.apache.org/jira/browse/CAMEL-7322
Project: Camel
Issue Type: New Feature
Components: documentation
Affects Versions: 2.13.0
Reporter: David Jorm
Camel supports various serialized data formats. Camel routes using these data
formats could expose security issues if vulnerable classes are on the
classpath. For example, CVE-2013-2186 describes a poison null byte flaw that
existed in Apache Commons FileUpload:
http://svn.apache.org/viewvc?view=revision&revision=1507048
If an application was exposing Camel routes that used serialized data formats,
and had a vulnerable class such as Commons FileUpload on the classpath, it
could be exploited, as an attacker would be able to call the deserialization
methods on that class.
Camel could address this by exposing a configuration mechanism for
type-checking data prior to deserialization, using a technique such as:
http://www.ibm.com/developerworks/java/library/se-lookahead/index.html
And then providing documentation warning users against deserializing arbitrary
user-supplied content. Alternatively, this could be conisidered a problem to be
solved by applications exposing Camel routes that use serialized data formats,
and therefore be addressed entirely in documentation. If the latter approach is
taken, then I am happy to provide draft documentation content.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
