Description
Apache Camel RabbitMQ enables Java deserialization by default. Apache Camel 2.22.x, 2.23.x, 2.24.x, 2.25.0, 3.0.0 up to 3.1.0 are affected. 2.x users should upgrade to 2.25.1, 3.x users should upgrade to 3.2.0.
Remediation
References
http://www.openwall.com/lists/oss-security/2020/05/14/10
http://www.openwall.com/lists/oss-security/2020/05/14/8
https://camel.apache.org/security/CVE-2020-11972.html
https://www.oracle.com/security-alerts/cpujan2021.html
https://www.oracle.com/security-alerts/cpuoct2020.html
Related Vulnerabilities
CVE-2020-2232 Vulnerability in maven package org.jenkins-ci.plugins:email-ext
CVE-2020-27665 Vulnerability in npm package strapi-plugin-content-type-builder
CVE-2020-14062 Vulnerability in maven package com.fasterxml.jackson.core:jackson-databind
CVE-2019-1010266 Vulnerability in maven package org.webjars:lodash
CVE-2019-13127 Vulnerability in maven package org.webjars.bowergithub.jgraph:mxgraph