Description

Apache Camel Netty enables Java deserialization by default. Apache Camel 2.22.x, 2.23.x, 2.24.x, 2.25.0, 3.0.0 up to 3.1.0 are affected. 2.x users should upgrade to 2.25.1, 3.x users should upgrade to 3.2.0.

Remediation

References

https://camel.apache.org/security/CVE-2020-11973.html

http://www.openwall.com/lists/oss-security/2020/05/14/9

https://www.oracle.com/security-alerts/cpuoct2020.html

https://www.oracle.com/security-alerts/cpujan2021.html

https://www.oracle.com/security-alerts/cpuApr2021.html

https://www.oracle.com//security-alerts/cpujul2021.html

Related Vulnerabilities

CVE-2017-15703 Vulnerability in maven package org.apache.nifi:nifi-security-utils

CVE-2017-1000402 Vulnerability in maven package org.jenkins-ci.plugins:swarm-plugin

CVE-2021-31522 Vulnerability in maven package org.apache.kylin:kylin-server-base

CVE-2022-33140 Vulnerability in maven package org.apache.nifi.registry:nifi-registry-framework

CVE-2022-24717 Vulnerability in npm package @finastra/ssr-pages

Severity

Critical

Classification

CWE-502 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Vendor Advisory Mailing List Third Party Advisory