Bug 1855786 (CVE-2020-11994)

Summary: CVE-2020-11994 camel: server-side template injection and arbitrary file disclosure on templating components
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: aileenc, akoufoud, alazarot, almorale, anstephe, ataylor, chazlett, drieden, etirelli, ganandan, ggaughan, gmalinko, gvarsami, ibek, janstey, jcoleman, jochrist, jstastny, jwon, kconner, krathod, kverlaen, ldimaggi, mnovotny, nwallace, paradhya, pjindal, rrajasek, rsynek, rwagner, sdaley, tcunning, tkirby, yozone
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in camel. Camel's templating components are suseptable to Server-Side Template Injection and arbitrary file disclosure. The highest threat from this vulnerability is to data confidentiality.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-09-01 19:17:28 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1855787    

Description Guilherme de Almeida Suckevicz 2020-07-10 13:49:04 UTC 
Server-Side Template Injection and arbitrary file disclosure on Camel templating components.

Reference:
https://camel.apache.org/security/CVE-2020-11994.html
Comment 4 Jonathan Christison 2020-07-17 12:49:53 UTC 
Red Hat AMQ 6 as affected but at a lower impact, It is delivery linked with Fuse 6 and so distributes Camel and its components but this vulnerability does not directly affect ActiveMQ components themselves and only affects camel template components: 

 - freemarker 
 - velocity 
 - mvel 
 - mustache 
 - string-template 
 - chunk 
 - jolt 
 - jslt 


This vulnerability is out of security support scope for the following products:
 * Red Hat AMQ 6
 * Red Hat JBoss Fuse Service Works 6
 * Red Hat JBoss BPM Suite 6
Comment 6 errata-xmlrpc 2020-09-01 14:41:15 UTC 
This issue has been addressed in the following products:

  Red Hat Fuse 6.3

Via RHSA-2020:3587 https://access.redhat.com/errata/RHSA-2020:3587
Comment 7 Product Security DevOps Team 2020-09-01 19:17:28 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-11994
Comment 8 errata-xmlrpc 2020-12-16 12:14:36 UTC 
This issue has been addressed in the following products:

  Red Hat Fuse 7.8.0

Via RHSA-2020:5568 https://access.redhat.com/errata/RHSA-2020:5568