Bug 1513376 (CVE-2017-12634)

Summary: CVE-2017-12634 camel-castor: Apache Camel's Castor unmarshalling operation is vulnerable to Remote Code Execution attacks
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aileenc, chazlett, gvarsami, jcoleman, ldimaggi, nwallace, rwagner, sjavurek, tcunning, tkirby
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: camel-castor 2.19.4, camel-castor 2.20.1 Doc Type: If docs needed, set a value
Doc Text:
It was found that Apache Camel contains a security vulnerability via camel-castor component. An attacker can utilize this flaw to deserialize a malicious object on the target machine which could lead to Remote Code Execution (RCE).
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-21 11:57:36 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1513385    

Description Adam Mariš 2017-11-15 10:13:42 UTC 
Apache Camel's camel-castor component is vulnerable to Java object de-serialisation vulnerability. De-serializing untrusted data can lead to security flaws.

Versions Affected: Camel 2.19.0 to 2.19.3 and Camel 2.20.0
The unsupported Camel 2.x (2.18 and earlier) versions may be also affected.

References:

https://camel.apache.org/security-advisories.data/CVE-2017-12634.txt.asc
https://issues.apache.org/jira/browse/CAMEL-11929
Comment 1 Rick Wagner 2017-11-15 14:05:43 UTC 
Fuse will track this effort with [1].

GSS Product liaison Susan Javurek has been added to the cc:list.

[1] https://issues.jboss.org/browse/ENTESB-7452
Comment 2 errata-xmlrpc 2018-02-14 19:30:24 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Fuse

Via RHSA-2018:0319 https://access.redhat.com/errata/RHSA-2018:0319
Comment 3 Joshua Padman 2019-05-15 22:43:18 UTC 
This vulnerability is out of security support scope for the following product:
 * Red Hat JBoss Fuse Service Works 6

Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
Comment 4 Joshua Padman 2019-08-12 02:15:49 UTC 
This vulnerability is out of security support scope for the following product:
 * Red Hat JBoss Fuse 6

Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.