[
https://issues.apache.org/jira/browse/CAMEL-21880?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17936550#comment-17936550
]
Jens Kordowski commented on CAMEL-21880:
----------------------------------------
I checked the security research link:
"
As we can see in the code, the _whoami_ command is defined statically, making
the code seem relatively safe. The problems arise when we inspect the possible
[internal message headers supported by
Exec|https://camel.apache.org/components/4.10.x/exec-component.html#:~:text=boolean-,MESSAGE%20HEADERS,-The%20Exec%20component].
When we examine the _CamelExecCommandExecutable_ header, we see that it
overrides the executable defined in the static URI in the code (Figure 3).
"
They consider it a security issue that an outside call can circumvent the
header filter strategy to set the the _CamelExecCommandExecutable_ header and
execute potentially dangerous commands via the exec component.
The same is true for the kafka component. I can send this header to a kafka
broker and when reading it from a kafka topic, this header will be available
executing arbitrary code. If you say this is not a security problem of the same
kind, can you please elaborate on your thoughts?
I think the proclaimed attack vector is independent of the inbound protocol and
all components with header filter strategies should at least be considered in
this context.
> camel-kafka - add lowerCase to header filter strategy
> -----------------------------------------------------
>
> Key: CAMEL-21880
> URL: https://issues.apache.org/jira/browse/CAMEL-21880
> Project: Camel
> Issue Type: Improvement
> Components: camel-kafka
> Affects Versions: 3.22.3, 4.10.2
> Reporter: Jens Kordowski
> Priority: Major
>
> Due to [https://www.cve.org/CVERecord?id=CVE-2025-27636] the following
> extension has been implemented:
> https://issues.apache.org/jira/browse/CAMEL-21828
> This has an effect on
> [https://github.com/apache/camel/blob/main/components/camel-http-common/src/main/java/org/apache/camel/http/common/HttpHeaderFilterStrategy.java]
> as it sets lowerCase to true. The same is not true for
> [https://github.com/apache/camel/blob/main/components/camel-kafka/src/main/java/org/apache/camel/component/kafka/KafkaHeaderFilterStrategy.java]
> Very old implementations of the same
> ([https://github.com/apache/camel/blob/camel-2.25.4/components/camel-kafka/src/main/java/org/apache/camel/component/kafka/KafkaHeaderFilterStrategy.java])
> were using patterns, which were explicitly marked case-insensitive and this
> changed thereafter. Following this recent CVE and the changes, I assume this
> was not desired, hence I marked it as bug.
>
> There might be other header filter strategies out there that do not set
> lowerCase to true.
>
> Best regards
> Jens
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
