Bug 1011726 (CVE-2013-4330)

Summary: CVE-2013-4330 Camel: remote code execution via header field manipulation
Product: [Other] Security Response Reporter: Chess Hazlett <chazlett>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: djorm, security-response-team, weli
Target Milestone: ---Keywords: Reopened, Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-03-06 06:18:52 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1051969, 1051970, 1051971, 1056925, 1056926    
Bug Blocks: 996321, 1012225, 1015403, 1059975    

Description Chess Hazlett 2013-09-25 01:30:42 UTC 
A flaw was found in Apache Camel's parsing of the FILE_NAME header. A remote attacker able to submit messages to a Camel route, which would write the provided message to a file, could provide expression language (EL) expressions in the FILE_NAME header, which would be evaluated on the server. This could lead to arbitrary remote code execution in the context of the Camel server process.

External References:

https://issues.apache.org/jira/browse/CAMEL-6734
https://issues.apache.org/jira/browse/CAMEL-6748
Comment 1 Chess Hazlett 2013-09-25 01:43:56 UTC 
*** Bug 995275 has been marked as a duplicate of this bug. ***
Comment 2 Chess Hazlett 2013-09-25 01:45:11 UTC 
*** Bug 1011695 has been marked as a duplicate of this bug. ***
Comment 3 Chess Hazlett 2013-09-25 01:45:52 UTC 
*** Bug 1011678 has been marked as a duplicate of this bug. ***
Comment 6 Vincent Danen 2013-09-30 19:17:39 UTC 
External References:

http://camel.apache.org/security-advisories.data/CVE-2013-4330.txt.asc
Comment 7 errata-xmlrpc 2013-10-07 17:19:17 UTC 
This issue has been addressed in following products:

  Red Hat JBoss Fuse 6.0.0
  Red Hat JBoss A-MQ 6.0.0

Via RHSA-2013:1410 https://rhn.redhat.com/errata/RHSA-2013-1410.html
Comment 8 errata-xmlrpc 2013-12-19 22:50:53 UTC 
This issue has been addressed in following products:

  Fuse ESB Enterprise 7.1.0
  Fuse MQ Enterprise 7.1.0

Via RHSA-2013:1862 https://rhn.redhat.com/errata/RHSA-2013-1862.html
Comment 11 errata-xmlrpc 2014-01-30 20:19:47 UTC 
This issue has been addressed in following products:

  Red Hat JBoss Fuse Service Works 6.0.0

Via RHSA-2014:0124 https://rhn.redhat.com/errata/RHSA-2014-0124.html
Comment 12 errata-xmlrpc 2014-02-05 17:43:27 UTC 
This issue has been addressed in following products:

  Red Hat JBoss BRMS 6.0.0
  Red Hat JBoss BPMS 6.0.0

Via RHSA-2014:0140 https://rhn.redhat.com/errata/RHSA-2014-0140.html
Comment 13 errata-xmlrpc 2014-03-03 18:26:39 UTC 
This issue has been addressed in following products:

  RHEL 6 Version of OpenShift Enterprise 2.0

Via RHSA-2014:0245 https://rhn.redhat.com/errata/RHSA-2014-0245.html
Comment 14 errata-xmlrpc 2014-03-05 19:06:06 UTC 
This issue has been addressed in following products:

  RHEL 6 Version of OpenShift Enterprise 1.2

Via RHSA-2014:0254 https://rhn.redhat.com/errata/RHSA-2014-0254.html