Description

Apache Camel Netty enables Java deserialization by default. Apache Camel 2.22.x, 2.23.x, 2.24.x, 2.25.0, 3.0.0 up to 3.1.0 are affected. 2.x users should upgrade to 2.25.1, 3.x users should upgrade to 3.2.0.

Remediation

References

http://www.openwall.com/lists/oss-security/2020/05/14/9

https://camel.apache.org/security/CVE-2020-11973.html

https://www.oracle.com//security-alerts/cpujul2021.html

https://www.oracle.com/security-alerts/cpuApr2021.html

https://www.oracle.com/security-alerts/cpujan2021.html

https://www.oracle.com/security-alerts/cpuoct2020.html

Related Vulnerabilities

CVE-2021-35513 Vulnerability in maven package org.webjars.bower:mermaid

CVE-2023-27987 Vulnerability in maven package org.apache.linkis:linkis-computation-client

CVE-2023-38435 Vulnerability in maven package org.apache.felix:org.apache.felix.healthcheck.webconsoleplugin

CVE-2019-1003093 Vulnerability in maven package org.jenkins-ci.plugins:nomad

CVE-2021-37695 Vulnerability in maven package org.webjars.bowergithub.ckeditor:ckeditor4

Severity

Critical

Classification

CWE-502 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Mailing List Third Party Advisory Vendor Advisory