CVE-2016-8749
published 2017-03-28CVE-2016-8749: Apache Camel's Jackson and JacksonXML unmarshalling operation are vulnerable to Remote Code Execution attacks.
PriorityP260critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
10.60%
95.2th percentile
Apache Camel's Jackson and JacksonXML unmarshalling operation are vulnerable to Remote Code Execution attacks.
Affected
17 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | camel | — | — |
| apache | camel | — | — |
| apache | camel | — | — |
| apache | camel | — | — |
| apache | camel | — | — |
| apache | camel | — | — |
| apache | camel | — | — |
| apache | camel | — | — |
| apache | camel | — | — |
| apache | camel | — | — |
| apache | camel | — | — |
| apache | camel | — | — |
| apache | camel | — | — |
| apache_software_foundation | apache_camel | — | — |
| apache_software_foundation | apache_camel | — | — |
| apache_software_foundation | apache_camel | — | — |
| apache_software_foundation | apache_camel | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Camel allows deserialization of arbitrary Java objects via the 'CamelJacksonUnmarshalType' property in camel-jackson and camel-jacksonxml components; monitor for untrusted data being passed through this property ↗
- →Affected Apache Camel versions: 2.16.0–2.16.4, 2.17.0–2.17.4, 2.18.0–2.18.1; flag use of these versions with camel-jackson or camel-jacksonxml components ↗
- ·The vulnerability is exploitable only when the 'CamelJacksonUnmarshalType' property is used to allow arbitrary Java type unmarshalling; review Camel route configurations for use of this property with untrusted input sources ↗
- ·Both camel-jackson and camel-jacksonxml components are affected; environments using either component for unmarshalling operations should be assessed ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vendor_apache9.8MEDIUM
vendor_redhat9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
camel-jacksonxml: Unmarshalling operation are vulnerable to RCE
vendor_redhat·2016-12-07·CVSS 9.8
CVE-2016-8749 [CRITICAL] CWE-502 camel-jacksonxml: Unmarshalling operation are vulnerable to RCE
camel-jacksonxml: Unmarshalling operation are vulnerable to RCE
Apache Camel's Jackson and JacksonXML unmarshalling operation are vulnerable to Remote Code Execution attacks.
It was found that Apache Camel's camel-jackson and camel-jacksonxml components are vulnerable to Java object de-serialisation vulnerability. Camel allows such a type through the 'CamelJacksonUnmarshalType' property. De-serializing untrusted data can lead to security flaws as demonstrated in various similar reports about Java de-serialization issues.
Package: camel (Red Hat JBoss Fuse 6) - Affected
Package: camel-jackson (Red Hat JBoss Fuse Service Works 6) - Will not fix
Package: camel-jackson (Red Hat OpenShift Enterprise 2) - Under investigation
Apache
Apache camel: CVE-2016-8749
vendor_apache·CVSS 9.8
CVE-2016-8749 [MEDIUM] Apache camel: CVE-2016-8749
Apache camel: CVE-2016-8749
2.16.0 up to 2.16.4, 2.17.0 up to 2.17.4, 2.18.0 up to 2.18.1 2.16.5, 2.17.5, 2.18.2 MEDIUM Apache Camel's Jackson and JacksonXML unmarshalling operation are vulnerable to Remote Code Execution attacks
Severity: medium
GHSA
Apache Camel's Jackson and JacksonXML unmarshalling operation are vulnerable to Remote Code Execution attacks
ghsa·2018-10-16
CVE-2016-8749 [CRITICAL] CWE-502 Apache Camel's Jackson and JacksonXML unmarshalling operation are vulnerable to Remote Code Execution attacks
Apache Camel's Jackson and JacksonXML unmarshalling operation are vulnerable to Remote Code Execution attacks
Apache Camel's camel-jackson and camel-jacksonxml components are vulnerable to Java object
de-serialisation vulnerability. Camel allows to specify such a type through the 'CamelJacksonUnmarshalType'
property. De-serializing untrusted data can lead to security flaws as demonstrated in various similar reports about Java de-serialization issues.
Mitigation: 2.16.x users should upgrade to 2.16.5, 2.17.x users should upgrade to 2.17.5, 2.18.x users should
upgrade to 2.18.2.
The JIRA tickets: https://issues.apache.org/jira/browse/CAMEL-10567 and https://issues.apache.org/jira/browse/CAMEL-10604
refers to the various commits that resovoled the issue, and have more details.
OSV
Apache Camel's Jackson and JacksonXML unmarshalling operation are vulnerable to Remote Code Execution attacks
osv·2018-10-16
CVE-2016-8749 [CRITICAL] Apache Camel's Jackson and JacksonXML unmarshalling operation are vulnerable to Remote Code Execution attacks
Apache Camel's Jackson and JacksonXML unmarshalling operation are vulnerable to Remote Code Execution attacks
Apache Camel's camel-jackson and camel-jacksonxml components are vulnerable to Java object
de-serialisation vulnerability. Camel allows to specify such a type through the 'CamelJacksonUnmarshalType'
property. De-serializing untrusted data can lead to security flaws as demonstrated in various similar reports about Java de-serialization issues.
Mitigation: 2.16.x users should upgrade to 2.16.5, 2.17.x users should upgrade to 2.17.5, 2.18.x users should
upgrade to 2.18.2.
The JIRA tickets: https://issues.apache.org/jira/browse/CAMEL-10567 and https://issues.apache.org/jira/browse/CAMEL-10604
refers to the various commits that resovoled the issue, and have more details.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2016-8749 camel-jackson, camel-jacksonxml: Unmarshalling operation are vulnerable to RCE
bugzilla·2017-02-09·CVSS 9.8
CVE-2016-8749 [CRITICAL] CVE-2016-8749 camel-jackson, camel-jacksonxml: Unmarshalling operation are vulnerable to RCE
CVE-2016-8749 camel-jackson, camel-jacksonxml: Unmarshalling operation are vulnerable to RCE
Apache Camel's camel-jackson and camel-jacksonxml components are vulnerable to Java object de-serialisation vulnerability. Camel allows to specify such a type through the 'CamelJacksonUnmarshalType' property. De-serializing untrusted data can lead to security flaws as demonstrated in various similar reports about Java de-serialization issues.
External References:
http://camel.apache.org/security-advisories.data/CVE-2016-8749.txt.asc
Upstream bugs:
https://issues.apache.org/jira/browse/CAMEL-10567
https://issues.apache.org/jira/browse/CAMEL-10604
Discussion:
This issue has been addressed in the following products:
Red Hat JBoss Fuse
Via RHSA-2017:1832 https://access.redhat.com/errata/RHSA-2
Bugzilla
CVE-2015-8749 openstack-nova: Xen connection password leak in logs via StorageError
bugzilla·2016-01-08·CVSS 5.9
CVE-2015-8749 [MEDIUM] CVE-2015-8749 openstack-nova: Xen connection password leak in logs via StorageError
CVE-2015-8749 openstack-nova: Xen connection password leak in logs via StorageError
Title: Xen connection password leak in logs via StorageError
Reporter: Matt Riedemann (IBM)
Products: Nova
Affects: >= 2014.2 <= 2015.1.2, ==12.0.0
Description:
Matt Riedemann from IBM reported an information disclosure vulnerability
in Nova. If a StorageError occurs when attempting to connect a volume
using the Xen API, the connection parameters will be logged. These
parameters may include credentials that are not masked. An attacker
with read access to Nova logs could use these credentials with the
Xen API directly. Only Nova deployments using the Xen backend are
affected by this flaw.
References:
https://launchpad.net/bugs/1516765
http://seclists.org/oss-sec/2016/q1/42
Discussion:
Created opensta
http://camel.apache.org/security-advisories.data/CVE-2016-8749.txt.asc?version=2&modificationDate=1486565034000&api=v2http://www.openwall.com/lists/oss-security/2017/05/22/2http://www.securityfocus.com/bid/97179https://access.redhat.com/errata/RHSA-2017:1832https://lists.apache.org/thread.html/2318d7f7d87724d8716cd650c21b31cb06e4d34f6d0f5ee42f28fdaf%40%3Ccommits.camel.apache.org%3Ehttps://lists.apache.org/thread.html/b4014ea7c5830ca1fc28edd5cafedfe93ad4af2d9e69c961c5def31d%40%3Ccommits.camel.apache.org%3Ehttps://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf?raw=truehttp://camel.apache.org/security-advisories.data/CVE-2016-8749.txt.asc?version=2&modificationDate=1486565034000&api=v2http://www.openwall.com/lists/oss-security/2017/05/22/2http://www.securityfocus.com/bid/97179https://access.redhat.com/errata/RHSA-2017:1832https://lists.apache.org/thread.html/2318d7f7d87724d8716cd650c21b31cb06e4d34f6d0f5ee42f28fdaf%40%3Ccommits.camel.apache.org%3Ehttps://lists.apache.org/thread.html/b4014ea7c5830ca1fc28edd5cafedfe93ad4af2d9e69c961c5def31d%40%3Ccommits.camel.apache.org%3Ehttps://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf?raw=true
2017-03-28
Published