Platform
java
Component
org.apache.camel:camel-castor
Fixed in
2.19.4
CVE-2017-12634 describes a critical Java object deserialization vulnerability affecting Apache Camel versions 2.x prior to 2.19.4 and 2.20.x before 2.20.1. This vulnerability allows attackers to execute arbitrary code by crafting malicious serialized data. Affected versions include those less than or equal to 2.9.8 and versions within the 2.20.x range before 2.20.1. A fix is available in version 2.19.4.
The vulnerability lies within the camel-castor component, which handles data serialization and deserialization. An attacker can exploit this flaw by sending a specially crafted serialized object to a Camel route that utilizes the camel-castor component. Upon deserialization, this malicious object can trigger arbitrary code execution on the server hosting the Camel application. The potential impact is severe, including complete system compromise, data theft, and denial of service. This vulnerability shares similarities with other deserialization exploits, potentially allowing for remote command execution with the privileges of the Camel process. The blast radius extends to any system relying on vulnerable Camel deployments.
CVE-2017-12634 was publicly disclosed on October 16, 2018. Public proof-of-concept exploits are available, demonstrating the ease of exploitation. The vulnerability has a high probability of exploitation due to its severity and the availability of PoCs. It is not currently listed on CISA KEV, but its criticality warrants careful attention. Active campaigns targeting this vulnerability are possible, given its widespread use and ease of exploitation.
Exploit Status
EPSS
6.48% (91% percentile)
CVSS Vector
The primary mitigation is to upgrade Apache Camel to version 2.19.4 or later. If upgrading immediately is not feasible, consider implementing input validation to sanitize data before deserialization. This could involve whitelisting allowed classes or using a secure deserialization library. As a temporary workaround, restrict network access to Camel routes that utilize the camel-castor component. Monitor Camel logs for suspicious deserialization activity. Implement a Web Application Firewall (WAF) with rules to detect and block malicious serialized payloads. After upgrading, verify the fix by attempting to deserialize a known malicious payload and confirming that it is rejected.
No official patch available. Check for workarounds or monitor for updates.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2017-12634 is a critical vulnerability in Apache Camel 2.x versions prior to 2.19.4 and 2.20.x before 2.20.1, allowing remote code execution via deserialization of untrusted data.
You are affected if you are using Apache Camel 2.x versions less than or equal to 2.9.8 or versions within the 2.20.x range before 2.20.1.
Upgrade Apache Camel to version 2.19.4 or later. Implement input validation as a temporary workaround.
Public proof-of-concept exploits are available, indicating a high probability of exploitation. Active campaigns are possible.
Refer to the Apache Camel security advisory: https://camel.apache.org/security-advisories.html
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your pom.xml file and we'll tell you instantly if you're affected.