Bug 1303609 - (CVE-2015-5344) CVE-2015-5344 camel-xstream: Java object de-serialization vulnerability leads to RCE
CVE-2015-5344 camel-xstream: Java object de-serialization vulnerability leads...
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20151106,repor...
: Security
Depends On: 1323324
Blocks: 1385169 1303613 1379523 1381801
  Show dependency treegraph
 
Reported: 2016-02-01 07:41 EST by Adam Mariš
Modified: 2016-10-14 16:47 EDT (History)
29 users (show)

See Also:
Fixed In Version: camel 2.15.5, camel 2.16.1
Doc Type: Bug Fix
Doc Text:
It was found that Apache Camel's camel-xstream component was vulnerable to Java object deserialization. This vulnerability permits deserialization of data which could lead to information disclosure, code execution, or other possible attacks.
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Adam Mariš 2016-02-01 07:41:27 EST
Java object de-serialization vulnerability in camel-xstream component was reported, leading to possible remote code execution. 

JIRA ticket referring to various commits that resolved the issue:

https://issues.apache.org/jira/browse/CAMEL-9297

External References:

https://camel.apache.org/security-advisories.data/CVE-2015-5344.txt.asc?version=1&modificationDate=1454056803000&api=v2
Comment 2 Jason Shepherd 2016-02-16 17:30:48 EST
Currently scheduled for Fuse 6.3 release, if you need this feature earlier, please let us know by commenting here.
Comment 10 errata-xmlrpc 2016-10-06 12:19:51 EDT
This issue has been addressed in the following products:

  Red Hat JBoss Fuse 6.3

Via RHSA-2016:2035 https://rhn.redhat.com/errata/RHSA-2016-2035.html

Note You need to log in before you can comment on or make changes to this bug.