CVE-2015-5344
published 2016-02-03CVE-2015-5344: The camel-xstream component in Apache Camel before 2.15.5 and 2.16.x before 2.16.1 allow remote attackers to execute arbitrary commands via a crafted…
PriorityP262critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
7.12%
93.5th percentile
The camel-xstream component in Apache Camel before 2.15.5 and 2.16.x before 2.16.1 allow remote attackers to execute arbitrary commands via a crafted serialized Java object in an HTTP request.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | camel | <= 2.15.4 | — |
| apache | camel | — | — |
| apache | camel | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect crafted serialized Java object sent via HTTP request targeting the camel-xstream component, which can lead to Remote Code Execution ↗
- →Monitor for Java object deserialization activity in Apache Camel's camel-xstream component, specifically deserialization of untrusted data over HTTP ↗
- →Flag Apache Camel versions 2.15.0 through 2.15.4 and 2.16.0 as vulnerable to this RCE via XStream deserialization ↗
- ·Affected packages include camel in Red Hat JBoss Fuse 6, Red Hat JBoss Fuse Service Works 6, and Red Hat OpenShift Enterprise 2; camel in OpenShift Enterprise 1 and Red Hat JBoss BRMS 5 are marked 'Will not fix' ↗
- ·The vulnerability was addressed in Red Hat JBoss Fuse 6.3 via RHSA-2016:2035; fixed versions are Apache Camel 2.15.5 and 2.16.1 or newer ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vendor_apache9.8MEDIUM
vendor_redhat9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
camel-xstream: Java object de-serialization vulnerability leads to RCE
vendor_redhat·2015-11-06·CVSS 9.8
CVE-2015-5344 [CRITICAL] CWE-502 camel-xstream: Java object de-serialization vulnerability leads to RCE
camel-xstream: Java object de-serialization vulnerability leads to RCE
The camel-xstream component in Apache Camel before 2.15.5 and 2.16.x before 2.16.1 allow remote attackers to execute arbitrary commands via a crafted serialized Java object in an HTTP request.
It was found that Apache Camel's camel-xstream component was vulnerable to Java object deserialization. This vulnerability permits deserialization of data which could lead to information disclosure, code execution, or other possible attacks.
Package: camel (OpenShift Enterprise 1) - Will not fix
Package: camel (Red Hat JBoss BRMS 5) - Will not fix
Package: camel (Red Hat JBoss Fuse 6) - Affected
Package: camel (Red Hat JBoss Fuse Service Works 6) - Affected
Package: camel (Red Hat OpenShift Enterprise 2) - Affected
Apache
Apache camel: CVE-2015-5344
vendor_apache·CVSS 9.8
CVE-2015-5344 [MEDIUM] Apache camel: CVE-2015-5344
Apache camel: CVE-2015-5344
2.15.0 up to 2.15.4, 2.16.0 2.15.5, 2.16.1 and newer MEDIUM Apache Camel's XStream usage is vulnerable to Remote Code Execution attacks. 2015
Severity: medium
OSV
Camel-xstream component in Apache Camel can allow remote attackers to execute arbitrary commands
osv·2018-10-16
CVE-2015-5344 [CRITICAL] Camel-xstream component in Apache Camel can allow remote attackers to execute arbitrary commands
Camel-xstream component in Apache Camel can allow remote attackers to execute arbitrary commands
The camel-xstream component in Apache Camel before 2.15.5 and 2.16.x before 2.16.1 allow remote attackers to execute arbitrary commands via a crafted serialized Java object in an HTTP request.
GHSA
Camel-xstream component in Apache Camel can allow remote attackers to execute arbitrary commands
ghsa·2018-10-16
CVE-2015-5344 [CRITICAL] Camel-xstream component in Apache Camel can allow remote attackers to execute arbitrary commands
Camel-xstream component in Apache Camel can allow remote attackers to execute arbitrary commands
The camel-xstream component in Apache Camel before 2.15.5 and 2.16.x before 2.16.1 allow remote attackers to execute arbitrary commands via a crafted serialized Java object in an HTTP request.
No detection rules found.
http://camel.apache.org/security-advisories.data/CVE-2015-5344.txt.aschttp://rhn.redhat.com/errata/RHSA-2016-2035.htmlhttp://www.securityfocus.com/archive/1/537414/100/0/threadedhttp://www.securityfocus.com/bid/82260https://lists.apache.org/thread.html/2318d7f7d87724d8716cd650c21b31cb06e4d34f6d0f5ee42f28fdaf%40%3Ccommits.camel.apache.org%3Ehttps://lists.apache.org/thread.html/b4014ea7c5830ca1fc28edd5cafedfe93ad4af2d9e69c961c5def31d%40%3Ccommits.camel.apache.org%3Ehttp://camel.apache.org/security-advisories.data/CVE-2015-5344.txt.aschttp://rhn.redhat.com/errata/RHSA-2016-2035.htmlhttp://www.securityfocus.com/archive/1/537414/100/0/threadedhttp://www.securityfocus.com/bid/82260https://lists.apache.org/thread.html/2318d7f7d87724d8716cd650c21b31cb06e4d34f6d0f5ee42f28fdaf%40%3Ccommits.camel.apache.org%3Ehttps://lists.apache.org/thread.html/b4014ea7c5830ca1fc28edd5cafedfe93ad4af2d9e69c961c5def31d%40%3Ccommits.camel.apache.org%3E
2016-02-03
Published