A flaw was found in Apache Camel: Apache Camel's Jetty/Servlet usage is vulnerable to Java object de-serialisation vulnerability If using camel-jetty, or camel-servlet as a consumer in Camel routes, then Camel will automatic de-serialize HTTP requests that uses the content-header: application/x-java-serialized-object. External References: https://camel.apache.org/security-advisories.data/CVE-2015-5348.txt
Tracker for Fuse 6.2.1: https://issues.jboss.org/browse/ENTESB-4744
Tracker for A-MQ 6.2.1: https://issues.jboss.org/browse/ENTMQ-1464
CVE-2015-5348 is currently scheduled to be fixed in the Fuse 6.3 release. It is ranked as having moderate impact, so we feel it's not worthy of including in a cumulative patch for 6.1.x. CVE-2015-5348 is more of a programming weakness than an actual vulnerability. The fact that Camel deserialises objects it not necessarily a vulnerability. However if there is a 'gadget chain', [0] in any library on the class path of the Camel Jetty route which deserialises those objects, then that could lead to remote code execution if a malicious object is sent to the Camel route with the 'content-header: application/x-java-serialized-object' HTTP Header. [0] http://jasonshepherd.net/2015/11/27/deserialization-in-java-collection-of-thoughts/ Recently we released a patch for JBoss Fuse 6.x, (CVE-2015-7501) that removes a 'gadget chain' in the Apache commons-collection library. Therefore I think the best mitigation you could take for CVE-2015-5348, is to apply that patch in order to remove the chance of it being exploited.
Tracker for FSW 6.2.1: https://issues.jboss.org/browse/ENTESB-4744
This issue has been addressed in the following products: Red Hat JBoss Fuse 6.3 Via RHSA-2016:2035 https://rhn.redhat.com/errata/RHSA-2016-2035.html