プラットフォーム
java
コンポーネント
org.apache.camel:camel-core
修正版
2.20.4
CVE-2018-8027 describes a critical XXE (XML External Entity) injection vulnerability affecting Apache Camel Core versions 2.20.0 through 2.20.3, and 2.21.0. This flaw allows attackers to leverage XSD validation processors to read arbitrary files on the server, potentially exposing sensitive information. The vulnerability was published on October 16, 2018, and a fix is available in version 2.20.4.
An attacker exploiting CVE-2018-8027 can leverage XXE injection to read local files on the server hosting the Apache Camel application. This includes configuration files, source code, and potentially sensitive data like database credentials or API keys. Successful exploitation could lead to complete compromise of the system. The XXE injection occurs within the XSD validation processor, allowing an attacker to craft malicious XML input that triggers the vulnerability. This is similar to other XXE vulnerabilities where attackers can bypass security measures and gain unauthorized access to system resources. The blast radius extends to any data accessible by the Camel application's process.
CVE-2018-8027 is a widely known vulnerability with a high CVSS score. Public proof-of-concept exploits are available, increasing the risk of exploitation. While no confirmed active campaigns have been publicly reported, the ease of exploitation makes it a prime target for opportunistic attackers. The vulnerability was disclosed on October 16, 2018, and added to the NVD database shortly thereafter.
Organizations using Apache Camel Core in their applications, particularly those handling external XML data, are at risk. Systems with older, unpatched Camel Core installations are especially vulnerable. Shared hosting environments where multiple applications share the same Camel instance are also at increased risk, as a compromise in one application could potentially affect others.
• java / server:
find /opt/camel -name '*.xml' -print0 | xargs -0 grep -i '<!DOCTYPE' • java / server:
ps aux | grep -i 'camel-core' | grep -i 'xsd validation' • generic web:
Use a WAF to monitor for XML payloads containing external entity references (e.g., <!ENTITY % xxe SYSTEM "file:///etc/passwd">).
• generic web:
Review access logs for requests containing suspicious XML content.
disclosure
patch
エクスプロイト状況
EPSS
2.53% (85% パーセンタイル)
CVSS ベクトル
The primary mitigation for CVE-2018-8027 is to upgrade Apache Camel Core to version 2.20.4 or later. If upgrading is not immediately feasible, consider implementing input validation and sanitization to prevent malicious XML from being processed. Specifically, disable external entity resolution in the XSD validation processor. WAF rules can be configured to block requests containing suspicious XML payloads. Monitor Camel logs for unusual activity or attempts to access files outside of the expected scope. After upgrading, confirm the fix by attempting to trigger the XXE vulnerability with a known malicious XML payload and verifying that it is blocked.
公式パッチはありません。回避策を確認するか、アップデートを監視してください。
脆弱性分析と重要アラートをメールでお届けします。
CVE-2018-8027 is a critical XXE injection vulnerability in Apache Camel Core versions 2.20.0 through 2.20.3 and 2.21.0, allowing attackers to read arbitrary files.
You are affected if you are using Apache Camel Core versions 2.20.0, 2.20.1, 2.20.2, 2.20.3, or 2.21.0. Upgrade to 2.20.4 or later to mitigate the risk.
Upgrade Apache Camel Core to version 2.20.4 or later. If upgrading is not possible, implement input validation and disable external entity resolution.
While no confirmed active campaigns are publicly known, the vulnerability's ease of exploitation makes it a potential target for attackers.
Refer to the Apache Camel security advisory: https://camel.apache.org/security-advisories.html
pom.xml ファイルをアップロードすると、影響の有無を即座にお知らせします。