Apache Camel's camel-jackson and camel-jacksonxml components are vulnerable to Java object de-serialisation vulnerability. Camel allows to specify such a type through the 'CamelJacksonUnmarshalType' property. De-serializing untrusted data can lead to security flaws as demonstrated in various similar reports about Java de-serialization issues.
This issue has been addressed in the following products:
Red Hat JBoss Fuse
Via RHSA-2017:1832 https://access.redhat.com/errata/RHSA-2017:1832