Apache Camel's camel-castor component is vulnerable to Java object de-serialisation vulnerability. De-serializing untrusted data can lead to security flaws. Versions Affected: Camel 2.19.0 to 2.19.3 and Camel 2.20.0 The unsupported Camel 2.x (2.18 and earlier) versions may be also affected. References: https://camel.apache.org/security-advisories.data/CVE-2017-12634.txt.asc https://issues.apache.org/jira/browse/CAMEL-11929
Fuse will track this effort with [1]. GSS Product liaison Susan Javurek has been added to the cc:list. [1] https://issues.jboss.org/browse/ENTESB-7452
This issue has been addressed in the following products: Red Hat JBoss Fuse Via RHSA-2018:0319 https://access.redhat.com/errata/RHSA-2018:0319
This vulnerability is out of security support scope for the following product: * Red Hat JBoss Fuse Service Works 6 Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
This vulnerability is out of security support scope for the following product: * Red Hat JBoss Fuse 6 Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.