This is an automated email from the ASF dual-hosted git repository. acosentino pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/camel.git
commit 403af26946165eec31d348fe9ce1a8f4680698e4 Author: Andrea Cosentino <[email protected]> AuthorDate: Wed Sep 12 13:39:30 2018 +0200 Security Advisories: Porting to docs --- .../en/security-advisories/CVE-2014-0003.txt.asc | 46 ++++++++++++++++++++++ 1 file changed, 46 insertions(+) diff --git a/docs/user-manual/en/security-advisories/CVE-2014-0003.txt.asc b/docs/user-manual/en/security-advisories/CVE-2014-0003.txt.asc new file mode 100644 index 0000000..7d64855 --- /dev/null +++ b/docs/user-manual/en/security-advisories/CVE-2014-0003.txt.asc @@ -0,0 +1,46 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA1 + +CVE-2014-0003: Apache Camel critical disclosure vulnerability + +Severity: Critical + +Vendor: The Apache Software Foundation + +Versions Affected: Camel 2.11.0 to 2.11.3, Camel 2.12.0 to 2.12.2 +The unsupported Camel 2.3.x, 2.4.x, 2.5.x, 2.6.x, 2.7.x, 2.8.x, 2.9.x and 2.10.x versions may be also affected. + +Description: The Apache Camel XSLT component allows XSL stylesheets to perform calls to external Java methods. A remote attacker able to submit messages to an xslt Camel route could use this flaw to perform arbitrary remote code execution in the context of the Camel server process. + +Mitigation: 2.11.x users should upgrade to 2.11.4, 2.12.x users should upgrade to 2.12.3. This patch will be included from Camel 2.13.0: https://git-wip-us.apache.org/repos/asf?p=camel.git;a=commitdiff;h=e922f89290f236f3107039de61af0375826bd96d + +Example: Create a simple route which receives an HTTP request, apply a (safe) stylesheet and store the result in a file: +<route> + <from uri="servlet:///hello"/> + <to uri="xslt:file:/tmp/transform.xsl" /> + <to uri="file:/tmp/output" /> +</route> + +If an attacker is able to submit a message to this route, they can change the XSLT stylesheet to use for this transfiormation. This stylesheet could be provided by a valid URL and could perform arbitrary remote code execution. + +Credit: This issue was discovered by David Jorm. + +References: http://camel.apache.org/security-advisories.html +-----BEGIN PGP SIGNATURE----- +Version: GnuPG/MacGPG2 v2.0.22 (Darwin) +Comment: GPGTools - http://gpgtools.org + +iQIcBAEBAgAGBQJTENZYAAoJEImh9lEqI5wsHK0P/35/jWdyzENsaPmW6dlivhuq +b1GAeMQL5gN/lws1VC0+2cQ0HGqOxLItzpse3P0gApMqRi7uGnFT+Amblc2tLvFv +mPJa1Zdm1jjtANPx1oweb3i7VtWXwefBivQ+RxxhKfaru96Q20NK8d2u203+GK9Y +fjQmKHTgUtkpNxKfEgbtkHpCOX1C8xrBs/+JWHhtZFEBQHpzbllO5M2ofrjyJIsL +OaJsd8hVxPXRgyjGDjuSrEObnvszEYkABCbrUgVrTI0NxewUg3orKb1GQjSpw9D9 +YehQurloyHcoqzRkNZsGaeZtiKnCmbyXmii61EoopoWnUyF1lRC8iCgmvyQDpoto +ZVmkhhVl4VON7wSii4A9p4RDBch/zi6rlq+OYx13ZRMqtP6v+hgGNIZiSZ7j4ZTa +wHh/A6MTN44/rAefnu8f2IhXPeTmWznez1jCc2hL4v/p+s4ttVNM1KBZkm/6saBH +VNOrmu46Tcl/cll/tSP5rC+P/LMmCMPdciuV/zSofHjvG5meJMl0a08dMvdNobZi +zGAcHAr6qXiYy6qMMMbTbQu++JUUWnbtaFndWHs/ALOUP9zF+fky30JTu/h2/RuZ +98RnR19XsfL+JgouLmFkP/HtA/qUjbaUHQIvJj6J0R+aR+ItszthGDnSNRXWg1LR +hvVPgX0RU6vPWJoJ0Wd5 +=gxws +-----END PGP SIGNATURE-----
