Description
Apache Camel RabbitMQ enables Java deserialization by default. Apache Camel 2.22.x, 2.23.x, 2.24.x, 2.25.0, 3.0.0 up to 3.1.0 are affected. 2.x users should upgrade to 2.25.1, 3.x users should upgrade to 3.2.0.
Remediation
References
http://www.openwall.com/lists/oss-security/2020/05/14/10
http://www.openwall.com/lists/oss-security/2020/05/14/8
https://camel.apache.org/security/CVE-2020-11972.html
https://www.oracle.com/security-alerts/cpujan2021.html
https://www.oracle.com/security-alerts/cpuoct2020.html
Related Vulnerabilities
CVE-2020-17521 Vulnerability in maven package org.codehaus.groovy:groovy
CVE-2020-7691 Vulnerability in maven package org.webjars.npm:jspdf
CVE-2021-3859 Vulnerability in maven package io.undertow:undertow-core
CVE-2022-0672 Vulnerability in maven package org.eclipse.lemminx:lemminx-parent
CVE-2020-15256 Vulnerability in maven package org.webjars.npm:object-path