Bug 1292849 (CVE-2015-5348)

Summary: CVE-2015-5348 Camel: Java object deserialisation in Jetty/Servlet
Product: [Other] Security Response Reporter: Martin Prpič <mprpic>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abhgupta, aileenc, alazarot, chazlett, dmcphers, etirelli, gvarsami, jcoleman, jialiu, jokerman, jshepherd, ldimaggi, lmeyer, mbaluch, mmccomas, mwinkler, nwallace, rrajasek, rwagner, rzhang, soa-p-jira, tcunning, tiwillia, tkirby
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Camel 2.15.5, Camel 2.16.1 Doc Type: Bug Fix
Doc Text:
It was found that Apache Camel's Jetty/Servlet usage is vulnerable to Java object de-serialisation vulnerability. If using camel-jetty, or camel-servlet as a consumer in Camel routes, then Camel will automatically de-serialize HTTP requests that uses the content-header: application/x-java-serialized-object.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-21 00:48:54 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1293187, 1293188    
Bug Blocks: 1292850, 1379523, 1381801, 1385169    

Description Martin Prpič 2015-12-18 14:15:31 UTC 
A flaw was found in Apache Camel:

Apache Camel's Jetty/Servlet usage is vulnerable to Java object de-serialisation vulnerability

If using camel-jetty, or camel-servlet as a consumer in Camel routes, then Camel will automatic de-serialize HTTP requests that uses the content-header: application/x-java-serialized-object.

External References:

https://camel.apache.org/security-advisories.data/CVE-2015-5348.txt
Comment 1 Jason Shepherd 2015-12-21 01:59:08 UTC 
Tracker for Fuse 6.2.1: https://issues.jboss.org/browse/ENTESB-4744
Comment 2 Jason Shepherd 2015-12-21 02:06:15 UTC 
Tracker for A-MQ 6.2.1: https://issues.jboss.org/browse/ENTMQ-1464
Comment 4 Jason Shepherd 2016-01-19 00:33:58 UTC 
CVE-2015-5348 is currently scheduled to be fixed in the Fuse 6.3 release. It is ranked as having moderate impact, so we feel it's not worthy of including in a cumulative patch for 6.1.x.

CVE-2015-5348 is more of a programming weakness than an actual vulnerability. The fact that Camel deserialises objects it not necessarily a vulnerability. However if there is a 'gadget chain', [0] in any library on the class path of the Camel Jetty route which deserialises those objects, then that could lead to remote code execution if a malicious object is sent to the Camel route with the 'content-header: application/x-java-serialized-object' HTTP Header.

[0] http://jasonshepherd.net/2015/11/27/deserialization-in-java-collection-of-thoughts/

Recently we released a patch for JBoss Fuse 6.x, (CVE-2015-7501) that removes a 'gadget chain' in the Apache commons-collection library. Therefore I think the best mitigation you could take for CVE-2015-5348, is to apply that patch in order to remove the chance of it being exploited.
Comment 5 Pavel Polischouk 2016-04-07 20:45:47 UTC 
Tracker for FSW 6.2.1: https://issues.jboss.org/browse/ENTESB-4744
Comment 7 errata-xmlrpc 2016-10-06 16:19:37 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Fuse 6.3

Via RHSA-2016:2035 https://rhn.redhat.com/errata/RHSA-2016-2035.html