Apache Camel's camel-jackson and camel-jacksonxml components are vulnerable to Java object de-serialisation vulnerability. Camel allows to specify such a type through the 'CamelJacksonUnmarshalType' property. De-serializing untrusted data can lead to security flaws as demonstrated in various similar reports about Java de-serialization issues. External References: http://camel.apache.org/security-advisories.data/CVE-2016-8749.txt.asc Upstream bugs: https://issues.apache.org/jira/browse/CAMEL-10567 https://issues.apache.org/jira/browse/CAMEL-10604
This issue has been addressed in the following products: Red Hat JBoss Fuse Via RHSA-2017:1832 https://access.redhat.com/errata/RHSA-2017:1832