Platform
java
Component
org.apache.camel:camel-castor
Opgelost in
2.19.4
CVE-2017-12634 describes a critical Java object deserialization vulnerability affecting Apache Camel versions 2.x prior to 2.19.4 and 2.20.x before 2.20.1. This vulnerability allows attackers to execute arbitrary code by crafting malicious serialized data. Affected versions include those less than or equal to 2.9.8 and versions within the 2.20.x range before 2.20.1. A fix is available in version 2.19.4.
The vulnerability lies within the camel-castor component, which handles data serialization and deserialization. An attacker can exploit this flaw by sending a specially crafted serialized object to a Camel route that utilizes the camel-castor component. Upon deserialization, this malicious object can trigger arbitrary code execution on the server hosting the Camel application. The potential impact is severe, including complete system compromise, data theft, and denial of service. This vulnerability shares similarities with other deserialization exploits, potentially allowing for remote command execution with the privileges of the Camel process. The blast radius extends to any system relying on vulnerable Camel deployments.
CVE-2017-12634 was publicly disclosed on October 16, 2018. Public proof-of-concept exploits are available, demonstrating the ease of exploitation. The vulnerability has a high probability of exploitation due to its severity and the availability of PoCs. It is not currently listed on CISA KEV, but its criticality warrants careful attention. Active campaigns targeting this vulnerability are possible, given its widespread use and ease of exploitation.
Organizations utilizing Apache Camel in their integration solutions are at risk, particularly those relying on older versions (≤2.9.8, 2.20.x before 2.20.1). Systems with exposed Camel endpoints are especially vulnerable. Applications that process untrusted data through Camel routes are also at heightened risk.
• java / server:
find / -name "camel-castor*.jar" -print• java / server:
ps -ef | grep -i camel• java / server: Examine Camel route configurations for usage of the camel-castor component and any deserialization operations.
• java / server: Monitor Camel logs for deserialization errors or suspicious activity related to the camel-castor component.
discovery
disclosure
poc
patch
Exploit Status
EPSS
6.48% (91% percentiel)
CVSS-vector
The primary mitigation is to upgrade Apache Camel to version 2.19.4 or later. If upgrading immediately is not feasible, consider implementing input validation to sanitize data before deserialization. This could involve whitelisting allowed classes or using a secure deserialization library. As a temporary workaround, restrict network access to Camel routes that utilize the camel-castor component. Monitor Camel logs for suspicious deserialization activity. Implement a Web Application Firewall (WAF) with rules to detect and block malicious serialized payloads. After upgrading, verify the fix by attempting to deserialize a known malicious payload and confirming that it is rejected.
Geen officiële patch beschikbaar. Zoek naar tijdelijke oplossingen of monitor updates.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2017-12634 is a critical vulnerability in Apache Camel 2.x versions prior to 2.19.4 and 2.20.x before 2.20.1, allowing remote code execution via deserialization of untrusted data.
You are affected if you are using Apache Camel 2.x versions less than or equal to 2.9.8 or versions within the 2.20.x range before 2.20.1.
Upgrade Apache Camel to version 2.19.4 or later. Implement input validation as a temporary workaround.
Public proof-of-concept exploits are available, indicating a high probability of exploitation. Active campaigns are possible.
Refer to the Apache Camel security advisory: https://camel.apache.org/security-advisories.html
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je pom.xml-bestand en we vertellen je direct of je getroffen bent.