Описание
Apache Camel Netty enables Java deserialization by default. Apache Camel 2.22.x, 2.23.x, 2.24.x, 2.25.0, 3.0.0 up to 3.1.0 are affected. 2.x users should upgrade to 2.25.1, 3.x users should upgrade to 3.2.0.
A flaw was found in camel. Apache Camel RabbitMQ enables java deserialization, by default, without any means of disabling which can lead to arbitrary code being executed. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Отчет
Red Hat JBoss Fuse 6 and Red Hat Fuse 7 distribute camel with the affected camel-netty component. However both Fuse 6 and Fuse 7 have deprecated the camel-netty component which uses netty 3.x in favour of camel-netty4 netty 4.x, camel-netty4 is not affected by this flaw; the camel-netty component is deprecated and should no longer be used.
Меры по смягчению последствий
Red Hat JBoss Fuse 6 & Red Hat Fuse 7 customers should use camel-netty4 instead
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat JBoss Data Grid 7 | camel-netty | Not affected | ||
| Red Hat JBoss Fuse 6 | camel-netty | Out of support scope | ||
| Red Hat Fuse 7.8.0 | camel-netty | Fixed | RHSA-2020:5568 | 16.12.2020 |
Показывать по
Дополнительная информация
Статус:
EPSS
9.8 Critical
CVSS3
Связанные уязвимости
Apache Camel Netty enables Java deserialization by default. Apache Camel 2.22.x, 2.23.x, 2.24.x, 2.25.0, 3.0.0 up to 3.1.0 are affected. 2.x users should upgrade to 2.25.1, 3.x users should upgrade to 3.2.0.
Apache Camel Netty enables Java deserialization by default
Уязвимость java-фреймворка Apache Camel, связанная с восстановлением в памяти недостоверной структуры данных, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации, выполнить произвольный код или вызвать отказ в обслуживании
EPSS
9.8 Critical
CVSS3