Java object de-serialization vulnerability in camel-xstream component was reported, leading to possible remote code execution.
JIRA ticket referring to various commits that resolved the issue:
Currently scheduled for Fuse 6.3 release, if you need this feature earlier, please let us know by commenting here.
This issue has been addressed in the following products:
Red Hat JBoss Fuse 6.3
Via RHSA-2016:2035 https://rhn.redhat.com/errata/RHSA-2016-2035.html