Apache Camel's JMX is vulnerable to Rebind Flaw. Apache Camel 2.22.x, 2.23.x, 2.24.x, 2.25.x, 3.0.0 up to 3.1.0 is affected. Users should upgrade to 3.2.0. References: http://www.openwall.com/lists/oss-security/2020/05/14/7 https://issues.apache.org/jira/browse/CAMEL-14811 https://camel.apache.org/security/CVE-2020-11971.html https://lists.apache.org/thread.html/r16f4f9019840bc923e25d1b029fb42fe2676c4ba36e54824749a8da9@%3Ccommits.camel.apache.org%3E https://lists.apache.org/thread.html/r3d0ae14ca224e69fb1c653f0a5d9e56370ee12d8896aa4490aeae14a@%3Ccommits.camel.apache.org%3E https://lists.apache.org/thread.html/r45da6abb42a9e6853ec8affdbf591f1db3e90c5288de9d3753124c79@%3Cissues.activemq.apache.org%3E https://lists.apache.org/thread.html/r7968b5086e861da2cf635a7b215e465ce9912d5f16c683b8e56819c4@%3Ccommits.camel.apache.org%3E
Mitigation: The JMX instrumentation agent is the vulnerable component in this, if not being used it can be disabled in the following ways * As a Java system property - `-Dorg.apache.camel.jmx.disabled=true` as java system property * Using the CamelContext method - ```java CamelContext camel = new DefaultCamelContext(); camel.disableJMX(); ``` * If using spring altering the spring configuration - ```xml <camelContext id="camel" xmlns="http://camel.apache.org/schema/spring"> <jmxAgent id="agent" disabled="true"/> ... </camelContext> ```
This issue has been addressed in the following products: Red Hat Fuse 7.8.0 Via RHSA-2020:5568 https://access.redhat.com/errata/RHSA-2020:5568
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-11971