Bug 1011726 (CVE-2013-4330)

Summary: CVE-2013-4330 Camel: remote code execution via header field manipulation
Product: [Other] Security Response Reporter: Chess Hazlett <chazlett>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: djorm, security-response-team, weli
Target Milestone: ---Keywords: Reopened, Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=important,public=20130930,reported=20130911,source=redhat,cvss2=6.8/AV:N/AC:M/Au:N/C:P/I:P/A:P,jboss/fuse-6.0=affected,jboss/fuse-esb-7.1=affected,jboss/amq-6.0=affected,jboss/fuse-mq-7.1=affected,fsw-6/Camel=affected,brms-6/Camel=affected,bpms-6/Camel=affected,openshift-enterprise-1/camel=affected,openshift-enterprise-2/camel=affected
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-03-06 01:18:52 EST Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 1051969, 1051970, 1051971, 1056925, 1056926    
Bug Blocks: 996321, 1012225, 1015403, 1059975    

Description Chess Hazlett 2013-09-24 21:30:42 EDT
A flaw was found in Apache Camel's parsing of the FILE_NAME header. A remote attacker able to submit messages to a Camel route, which would write the provided message to a file, could provide expression language (EL) expressions in the FILE_NAME header, which would be evaluated on the server. This could lead to arbitrary remote code execution in the context of the Camel server process.

External References:

https://issues.apache.org/jira/browse/CAMEL-6734
https://issues.apache.org/jira/browse/CAMEL-6748
Comment 1 Chess Hazlett 2013-09-24 21:43:56 EDT
*** Bug 995275 has been marked as a duplicate of this bug. ***
Comment 2 Chess Hazlett 2013-09-24 21:45:11 EDT
*** Bug 1011695 has been marked as a duplicate of this bug. ***
Comment 3 Chess Hazlett 2013-09-24 21:45:52 EDT
*** Bug 1011678 has been marked as a duplicate of this bug. ***
Comment 6 Vincent Danen 2013-09-30 15:17:39 EDT
External References:

http://camel.apache.org/security-advisories.data/CVE-2013-4330.txt.asc
Comment 7 errata-xmlrpc 2013-10-07 13:19:17 EDT
This issue has been addressed in following products:

  Red Hat JBoss Fuse 6.0.0
  Red Hat JBoss A-MQ 6.0.0

Via RHSA-2013:1410 https://rhn.redhat.com/errata/RHSA-2013-1410.html
Comment 8 errata-xmlrpc 2013-12-19 17:50:53 EST
This issue has been addressed in following products:

  Fuse ESB Enterprise 7.1.0
  Fuse MQ Enterprise 7.1.0

Via RHSA-2013:1862 https://rhn.redhat.com/errata/RHSA-2013-1862.html
Comment 11 errata-xmlrpc 2014-01-30 15:19:47 EST
This issue has been addressed in following products:

  Red Hat JBoss Fuse Service Works 6.0.0

Via RHSA-2014:0124 https://rhn.redhat.com/errata/RHSA-2014-0124.html
Comment 12 errata-xmlrpc 2014-02-05 12:43:27 EST
This issue has been addressed in following products:

  Red Hat JBoss BRMS 6.0.0
  Red Hat JBoss BPMS 6.0.0

Via RHSA-2014:0140 https://rhn.redhat.com/errata/RHSA-2014-0140.html
Comment 13 errata-xmlrpc 2014-03-03 13:26:39 EST
This issue has been addressed in following products:

  RHEL 6 Version of OpenShift Enterprise 2.0

Via RHSA-2014:0245 https://rhn.redhat.com/errata/RHSA-2014-0245.html
Comment 14 errata-xmlrpc 2014-03-05 14:06:06 EST
This issue has been addressed in following products:

  RHEL 6 Version of OpenShift Enterprise 1.2

Via RHSA-2014:0254 https://rhn.redhat.com/errata/RHSA-2014-0254.html