Bug 1292849 (CVE-2015-5348) - CVE-2015-5348 Camel: Java object deserialisation in Jetty/Servlet
Summary: CVE-2015-5348 Camel: Java object deserialisation in Jetty/Servlet
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2015-5348
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1293188 1293187
Blocks: 1292850 1379523 1381801 1385169
TreeView+ depends on / blocked
 
Reported: 2015-12-18 14:15 UTC by Martin Prpič
Modified: 2021-10-21 00:48 UTC (History)
24 users (show)

Fixed In Version: Camel 2.15.5, Camel 2.16.1
Doc Type: Bug Fix
Doc Text:
It was found that Apache Camel's Jetty/Servlet usage is vulnerable to Java object de-serialisation vulnerability. If using camel-jetty, or camel-servlet as a consumer in Camel routes, then Camel will automatically de-serialize HTTP requests that uses the content-header: application/x-java-serialized-object.
Clone Of:
Environment:
Last Closed: 2021-10-21 00:48:54 UTC

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:2035 0 normal SHIPPED_LIVE Important: Red Hat JBoss Fuse 6.3 security update 2016-10-06 20:18:07 UTC

Description Martin Prpič 2015-12-18 14:15:31 UTC 
A flaw was found in Apache Camel:

Apache Camel's Jetty/Servlet usage is vulnerable to Java object de-serialisation vulnerability

If using camel-jetty, or camel-servlet as a consumer in Camel routes, then Camel will automatic de-serialize HTTP requests that uses the content-header: application/x-java-serialized-object.

External References:

https://camel.apache.org/security-advisories.data/CVE-2015-5348.txt
Comment 1 Jason Shepherd 2015-12-21 01:59:08 UTC 
Tracker for Fuse 6.2.1: https://issues.jboss.org/browse/ENTESB-4744
Comment 2 Jason Shepherd 2015-12-21 02:06:15 UTC 
Tracker for A-MQ 6.2.1: https://issues.jboss.org/browse/ENTMQ-1464
Comment 4 Jason Shepherd 2016-01-19 00:33:58 UTC 
CVE-2015-5348 is currently scheduled to be fixed in the Fuse 6.3 release. It is ranked as having moderate impact, so we feel it's not worthy of including in a cumulative patch for 6.1.x.

CVE-2015-5348 is more of a programming weakness than an actual vulnerability. The fact that Camel deserialises objects it not necessarily a vulnerability. However if there is a 'gadget chain', [0] in any library on the class path of the Camel Jetty route which deserialises those objects, then that could lead to remote code execution if a malicious object is sent to the Camel route with the 'content-header: application/x-java-serialized-object' HTTP Header.

[0] http://jasonshepherd.net/2015/11/27/deserialization-in-java-collection-of-thoughts/

Recently we released a patch for JBoss Fuse 6.x, (CVE-2015-7501) that removes a 'gadget chain' in the Apache commons-collection library. Therefore I think the best mitigation you could take for CVE-2015-5348, is to apply that patch in order to remove the chance of it being exploited.
Comment 5 Pavel Polischouk 2016-04-07 20:45:47 UTC 
Tracker for FSW 6.2.1: https://issues.jboss.org/browse/ENTESB-4744
Comment 7 errata-xmlrpc 2016-10-06 16:19:37 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Fuse 6.3

Via RHSA-2016:2035 https://rhn.redhat.com/errata/RHSA-2016-2035.html
Note You need to log in before you can comment on or make changes to this bug.