Red Hat Bugzilla – Bug 1292849
CVE-2015-5348 Camel: Java object deserialisation in Jetty/Servlet
Last modified: 2016-12-11 10:57:06 EST
A flaw was found in Apache Camel:
Apache Camel's Jetty/Servlet usage is vulnerable to Java object de-serialisation vulnerability
If using camel-jetty, or camel-servlet as a consumer in Camel routes, then Camel will automatic de-serialize HTTP requests that uses the content-header: application/x-java-serialized-object.
Tracker for Fuse 6.2.1: https://issues.jboss.org/browse/ENTESB-4744
Tracker for A-MQ 6.2.1: https://issues.jboss.org/browse/ENTMQ-1464
CVE-2015-5348 is currently scheduled to be fixed in the Fuse 6.3 release. It is ranked as having moderate impact, so we feel it's not worthy of including in a cumulative patch for 6.1.x.
CVE-2015-5348 is more of a programming weakness than an actual vulnerability. The fact that Camel deserialises objects it not necessarily a vulnerability. However if there is a 'gadget chain',  in any library on the class path of the Camel Jetty route which deserialises those objects, then that could lead to remote code execution if a malicious object is sent to the Camel route with the 'content-header: application/x-java-serialized-object' HTTP Header.
Recently we released a patch for JBoss Fuse 6.x, (CVE-2015-7501) that removes a 'gadget chain' in the Apache commons-collection library. Therefore I think the best mitigation you could take for CVE-2015-5348, is to apply that patch in order to remove the chance of it being exploited.
Tracker for FSW 6.2.1: https://issues.jboss.org/browse/ENTESB-4744
This issue has been addressed in the following products:
Red Hat JBoss Fuse 6.3
Via RHSA-2016:2035 https://rhn.redhat.com/errata/RHSA-2016-2035.html