It was found that Apache Camel performed XML External Entity (XXE) expansion when evaluating invalid XML Strings or invalid XML GenericFile objects. A remote attacker able to submit a crafted XML message could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks. Upstream patch: https://git-wip-us.apache.org/repos/asf?p=camel.git;a=commitdiff;h=1df559649a96a1ca0368373387e542f46e4820da External References: https://camel.apache.org/security-advisories.data/CVE-2015-0264.txt.asc
This issue has been addressed in the following products: JBoss Fuse/A-MQ 6.1.0 Via RHSA-2015:1041 https://rhn.redhat.com/errata/RHSA-2015-1041.html
This issue has been addressed in the following products: JBoss BPM Suite 6.1.2 Via RHSA-2015:1539 https://rhn.redhat.com/errata/RHSA-2015-1539.html
This issue has been addressed in the following products: JBoss BRMS 6.1.2 Via RHSA-2015:1538 https://rhn.redhat.com/errata/RHSA-2015-1538.html
This issue has been addressed in the following products: JBoss Fuse Service Works 6.2.1 Via RHSA-2015:2558 https://rhn.redhat.com/errata/RHSA-2015-2558.html