Description

Apache Camel Netty enables Java deserialization by default. Apache Camel 2.22.x, 2.23.x, 2.24.x, 2.25.0, 3.0.0 up to 3.1.0 are affected. 2.x users should upgrade to 2.25.1, 3.x users should upgrade to 3.2.0.

Remediation

References

http://www.openwall.com/lists/oss-security/2020/05/14/9

https://camel.apache.org/security/CVE-2020-11973.html

https://www.oracle.com//security-alerts/cpujul2021.html

https://www.oracle.com/security-alerts/cpuApr2021.html

https://www.oracle.com/security-alerts/cpujan2021.html

https://www.oracle.com/security-alerts/cpuoct2020.html

Related Vulnerabilities

CVE-2019-1003070 Vulnerability in maven package org.jenkins-ci.plugins:veracode-scanner

CVE-2022-36896 Vulnerability in maven package com.compuware.jenkins:compuware-scm-downloader

CVE-2020-9480 Vulnerability in maven package org.apache.spark:spark-network-common_2.11

CVE-2019-12418 Vulnerability in maven package org.apache.tomcat:tomcat-catalina

CVE-2021-41084 Vulnerability in maven package org.http4s:http4s-server_3

Severity

Critical

Classification

CWE-502 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Mailing List Third Party Advisory Vendor Advisory