CVE-2015-5348.txt.asc

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

CVE-2015-5348: Apache Camel medium disclosure vulnerability

Severity: MEDIUM

Vendor: The Apache Software Foundation

Versions Affected: Camel 2.15.0 to 2.15.4, Camel 2.16.0
The unsupported Camel 2.6.x, 2.7.x, 2.8.x, 2.9.x, 2.10.x, 2.11.x, 2.12.x, 2.13.x, and 2.14.x are also affected.

Description: Apache Camel's Jetty/Servlet usage is vulnerable to Java object de-serialisation vulnerability

If using camel-jetty, or camel-servlet as a consumer in Camel routes, then Camel will automatic de-serialize HTTP requests that uses the content-header: application/x-java-serialized-object. 

Mitigation: 2.15.x users should upgrade to 2.15.5, 2.16.0 users should upgrade to 2.16.1.
The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-9309 refers to the various commits that resovoled the issue.

Credit: This issue was discovered by Sim Yih Tsern.
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org

iQIcBAEBCgAGBQJWcnDDAAoJEN1wUKdrQA9pc2IQANO6MRTi2J5xjWrNJ9vFGMEK
5Mm6SXnn0KAYp/ET2WxBfe7D9V+WpcmGejost+7zhixKZ6sqo9uaQ45JRd5Ce6vg
gOfcJVEp0tJWtfR3Tgzpe9x8iL76zrRHlFlUFlo3w09AfA3H/ogeV+jE7in6P/Fu
JNlDWdbmV/WbflaqU643uo6/kScuE5Nzmhdon7QLnztirCzkFSXgx9t9+2mc9X+t
FfliGvIxM54nZ/RR13SeE0BFh4KS2+kEZRivB3fyRMl3pwWzU3pYxYJt81AsupJb
razSEon5281M2G1zaZK8ng/6P3bHACHkOYK6ivsdkQ4zg4YKnShU1nkX2BBBXXrd
dhn5ilcmA65R4jq7Vzk9D3QwwN9Io+0OPdca1WeT79qLpCqlkMOuJQFE6hIfVoQe
sTmz5QIoPyQIWP1tPQS+QzSDx+zNlqte4t48wRkTqXuja/sfi5JzuXtDJwBjGt+L
FO1oA2CEoaiCzOdCVthvZrNBsgYCig7dmeKaYzVRCm1oYHkwd7hCvsg261uOSTHJ
glZrmn3FT/G7qx6MaNLXQD6UZ5XMwx5ToSnILCORDf2UH8sEtyJfkJtIOIQxTeh4
+vV9GYDxNOV/rpqfxcYzyIcfcGK2R4MaoAdLx4RSJoZSz88N2372pTs4pZGAmS7K
cXFnb/HjMssv62nffgkE
=Qn8/
-----END PGP SIGNATURE-----