Description

Apache Camel Netty enables Java deserialization by default. Apache Camel 2.22.x, 2.23.x, 2.24.x, 2.25.0, 3.0.0 up to 3.1.0 are affected. 2.x users should upgrade to 2.25.1, 3.x users should upgrade to 3.2.0.

Remediation

References

http://www.openwall.com/lists/oss-security/2020/05/14/9

https://camel.apache.org/security/CVE-2020-11973.html

https://www.oracle.com//security-alerts/cpujul2021.html

https://www.oracle.com/security-alerts/cpuApr2021.html

https://www.oracle.com/security-alerts/cpujan2021.html

https://www.oracle.com/security-alerts/cpuoct2020.html

Related Vulnerabilities

CVE-2021-38294 Vulnerability in maven package org.apache.storm:storm-server

CVE-2022-25842 Vulnerability in maven package com.alibaba.oneagent:one-java-agent-plugin

CVE-2022-40664 Vulnerability in maven package org.apache.shiro:shiro-core

CVE-2022-45207 Vulnerability in maven package org.jeecgframework.boot:jeecg-module-system

CVE-2019-16776 Vulnerability in npm package npm

Severity

Critical

Classification

CWE-502 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Mailing List Third Party Advisory Vendor Advisory