Fedora Account System
Red Hat Associate
Red Hat Customer
Apache Camel's JMX is vulnerable to Rebind Flaw. Apache Camel 2.22.x, 2.23.x, 2.24.x, 2.25.x, 3.0.0 up to 3.1.0 is affected. Users should upgrade to 3.2.0. References: http://www.openwall.com/lists/oss-security/2020/05/14/7 https://issues.apache.org/jira/browse/CAMEL-14811 https://camel.apache.org/security/CVE-2020-11971.html https://lists.apache.org/thread.html/r16f4f9019840bc923e25d1b029fb42fe2676c4ba36e54824749a8da9@%3Ccommits.camel.apache.org%3E https://lists.apache.org/thread.html/r3d0ae14ca224e69fb1c653f0a5d9e56370ee12d8896aa4490aeae14a@%3Ccommits.camel.apache.org%3E https://lists.apache.org/thread.html/r45da6abb42a9e6853ec8affdbf591f1db3e90c5288de9d3753124c79@%3Cissues.activemq.apache.org%3E https://lists.apache.org/thread.html/r7968b5086e861da2cf635a7b215e465ce9912d5f16c683b8e56819c4@%3Ccommits.camel.apache.org%3E
Mitigation: The JMX instrumentation agent is the vulnerable component in this, if not being used it can be disabled in the following ways * As a Java system property - `-Dorg.apache.camel.jmx.disabled=true` as java system property * Using the CamelContext method - ```java CamelContext camel = new DefaultCamelContext(); camel.disableJMX(); ``` * If using spring altering the spring configuration - ```xml <camelContext id="camel" xmlns="http://camel.apache.org/schema/spring"> <jmxAgent id="agent" disabled="true"/> ... </camelContext> ```
This issue has been addressed in the following products: Red Hat Fuse 7.8.0 Via RHSA-2020:5568 https://access.redhat.com/errata/RHSA-2020:5568
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-11971