Bug 1292849 - (CVE-2015-5348) CVE-2015-5348 Camel: Java object deserialisation in Jetty/Servlet
CVE-2015-5348 Camel: Java object deserialisation in Jetty/Servlet
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20151217,repor...
: Security
Depends On: 1293188 1293187
Blocks: 1292850 1379523 1381801 1385169
  Show dependency treegraph
 
Reported: 2015-12-18 09:15 EST by Martin Prpič
Modified: 2018-06-29 18:06 EDT (History)
27 users (show)

See Also:
Fixed In Version: Camel 2.15.5, Camel 2.16.1
Doc Type: Bug Fix
Doc Text:
It was found that Apache Camel's Jetty/Servlet usage is vulnerable to Java object de-serialisation vulnerability. If using camel-jetty, or camel-servlet as a consumer in Camel routes, then Camel will automatically de-serialize HTTP requests that uses the content-header: application/x-java-serialized-object.
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:2035 normal SHIPPED_LIVE Important: Red Hat JBoss Fuse 6.3 security update 2016-10-06 16:18:07 EDT

  None (edit)
Description Martin Prpič 2015-12-18 09:15:31 EST
A flaw was found in Apache Camel:

Apache Camel's Jetty/Servlet usage is vulnerable to Java object de-serialisation vulnerability

If using camel-jetty, or camel-servlet as a consumer in Camel routes, then Camel will automatic de-serialize HTTP requests that uses the content-header: application/x-java-serialized-object.

External References:

https://camel.apache.org/security-advisories.data/CVE-2015-5348.txt
Comment 1 Jason Shepherd 2015-12-20 20:59:08 EST
Tracker for Fuse 6.2.1: https://issues.jboss.org/browse/ENTESB-4744
Comment 2 Jason Shepherd 2015-12-20 21:06:15 EST
Tracker for A-MQ 6.2.1: https://issues.jboss.org/browse/ENTMQ-1464
Comment 4 Jason Shepherd 2016-01-18 19:33:58 EST
CVE-2015-5348 is currently scheduled to be fixed in the Fuse 6.3 release. It is ranked as having moderate impact, so we feel it's not worthy of including in a cumulative patch for 6.1.x.

CVE-2015-5348 is more of a programming weakness than an actual vulnerability. The fact that Camel deserialises objects it not necessarily a vulnerability. However if there is a 'gadget chain', [0] in any library on the class path of the Camel Jetty route which deserialises those objects, then that could lead to remote code execution if a malicious object is sent to the Camel route with the 'content-header: application/x-java-serialized-object' HTTP Header.

[0] http://jasonshepherd.net/2015/11/27/deserialization-in-java-collection-of-thoughts/

Recently we released a patch for JBoss Fuse 6.x, (CVE-2015-7501) that removes a 'gadget chain' in the Apache commons-collection library. Therefore I think the best mitigation you could take for CVE-2015-5348, is to apply that patch in order to remove the chance of it being exploited.
Comment 5 Pavel Polischouk 2016-04-07 16:45:47 EDT
Tracker for FSW 6.2.1: https://issues.jboss.org/browse/ENTESB-4744
Comment 7 errata-xmlrpc 2016-10-06 12:19:37 EDT
This issue has been addressed in the following products:

  Red Hat JBoss Fuse 6.3

Via RHSA-2016:2035 https://rhn.redhat.com/errata/RHSA-2016-2035.html

Note You need to log in before you can comment on or make changes to this bug.