===================================================================== CERT-Renater Note d'Information No. 2024/VULN101 _____________________________________________________________________ DATE : 08/03/2024 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Apache Camel versions prior to 3.21.4, 3.22.1, 4.0.4, 4.4.0. ===================================================================== https://lists.apache.org/thread/pwmosob3t5j5czpf4o511gdfppobmnl9 https://lists.apache.org/thread/3dko781dy2gy5l3fs48p56fgp429yb0f https://lists.apache.org/thread/tollzhth3n6zs427t1r5g9rqqvpb78nm _____________________________________________________________________ CVE-2024-22371: Apache Camel issue on ExchangeCreatedEvent Affected versions: - Apache Camel 1.x through 1.6.0 unaffected - Apache Camel 3.21.x through 3.21.3 - Apache Camel 3.22.x through 3.22.0 - Apache Camel 4.0.x through 4.0.3 - Apache Camel 4.x through 4.3.0 Description: Exposure of sensitive data by by crafting a malicious EventFactory and providing a custom ExchangeCreatedEvent that exposes sensitive data. Vulnerability in Apache Camel.This issue affects Apache Camel: from 3.21.X through 3.21.3, from 3.22.X through 3.22.0, from 4.0.X through 4.0.3, from 4.X through 4.3.0. Users are recommended to upgrade to version 3.21.4, 3.22.1, 4.0.4 or 4.4.0, which fixes the issue. This issue is being tracked as CAMEL-20305 Credit: Otavio Rodolfo Piske from the Apache Software Foundation (finder) References: https://camel.apache.org/security/CVE-2024-22371.html https://camel.apache.org/ https://www.cve.org/CVERecord?id=CVE-2024-22371 https://issues.apache.org/jira/browse/CAMEL-20305 _____________________________________________________________________ https://camel.apache.org/security/CVE-2024-22369.html: CVE-2024-22369: Apache Camel: Camel-SQL: Unsafe Deserialization from JDBCAggregationRepository Posted to users@camel.apache.org Andrea Cosentino - lundi 19 février 2024 14:34:17 UTC+1 Severity: important Affected versions: - Apache Camel 3.0.0 before 3.21.4 - Apache Camel 3.22.0 before 3.22.1 - Apache Camel 4.0.0 before 4.0.4 - Apache Camel 4.1.0 before 4.4.0 Description: Deserialization of Untrusted Data vulnerability in Apache Camel SQL ComponentThis issue affects Apache Camel: from 3.0.0 before 3.21.4, from 3.22.0 before 3.22.1, from 4.0.0 before 4.0.4, from 4.1.0 before 4.4.0. Users are recommended to upgrade to version 4.4.0, which fixes the issue. If users are on the 4.0.x LTS releases stream, then they are suggested to upgrade to 4.0.4. If users are on 3.x, they are suggested to move to 3.21.4 or 3.22.1 This issue is being tracked as CAMEL-20303 Credit: Ziyang Chen from HuaWei Open Source Management Center (finder) Pingtao Wei from HuaWei Open Source Management Center (finder) Haoran Zhi from HuaWei Open Source Management Center (finder) References: https://camel.apache.org/ https://www.cve.org/CVERecord?id=CVE-2024-22369 https://issues.apache.org/jira/browse/CAMEL-20303 _____________________________________________________________________ https://camel.apache.org/security/CVE-2024-23114.html: CVE-2024-23114: Apache Camel: Camel-CassandraQL: Unsafe Deserialization from CassandraAggregationRepository Severity: important Affected versions: - Apache Camel 3.0.0 before 3.21.4 - Apache Camel 3.22.0 before 3.22.1 - Apache Camel 4.0.0 before 4.0.4 - Apache Camel 4.1.0 before 4.4.0 Description: Deserialization of Untrusted Data vulnerability in Apache Camel CassandraQL Component AggregationRepository which is vulnerable to unsafe deserialization. Under specific conditions it is possible to deserialize malicious payload.This issue affects Apache Camel: from 3.0.0 before 3.21.4, from 3.22.0 before 3.22.1, from 4.0.0 before 4.0.4, from 4.1.0 before 4.4.0. Users are recommended to upgrade to version 4.4.0, which fixes the issue. If users are on the 4.0.x LTS releases stream, then they are suggested to upgrade to 4.0.4. If users are on 3.x, they are suggested to move to 3.21.4 or 3.22.1 This issue is being tracked as CAMEL-20306 Credit: Federico Mariani From Apache Software Foundation (finder) Andrea Cosentino from Apache Software Foundation (finder) References: https://camel.apache.org/ https://www.cve.org/CVERecord?id=CVE-2024-23114 https://issues.apache.org/jira/browse/CAMEL-20306 ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================