This is an automated email from the ASF dual-hosted git repository.
acosentino pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/camel-website.git
The following commit(s) were added to refs/heads/main by this push:
new f76ad96f Updated CVE-2025-27636
f76ad96f is described below
commit f76ad96fde9e4188cd8443ad2f8ec19ae9761b54
Author: Andrea Cosentino <anco...@gmail.com>
AuthorDate: Mon Mar 10 12:52:28 2025 +0100
Updated CVE-2025-27636
Signed-off-by: Andrea Cosentino <anco...@gmail.com>
---
content/security/CVE-2025-27636.md | 38 ++++++++++++++++++++++-
content/security/CVE-2025-27636.txt.asc | 54 +++++++++++++++++++++++++++------
2 files changed, 82 insertions(+), 10 deletions(-)
diff --git a/content/security/CVE-2025-27636.md
b/content/security/CVE-2025-27636.md
index 9dfa4bdb..3a1b86b0 100644
--- a/content/security/CVE-2025-27636.md
+++ b/content/security/CVE-2025-27636.md
@@ -8,7 +8,43 @@ cve: CVE-2025-27636
severity: MODERATE
summary: "Apache Camel-Bean component: Camel Message Header Injection via
Improper Filtering"
description: "This vulnerability is only present in the following situation.
The user is using one of the following HTTP Servers via one the of the
following Camel components: camel-servlet, camel-jetty, camel-undertow,
camel-platform-http and camel-netty-http and in the route, the exchange will be
routed to a camel-bean producer. So ONLY camel-bean component is affected. In
particular: The bean invocation (is only affected if you use any of the above
together with camel-bean component) [...]
-mitigation: "Users are recommended to upgrade to version 4.10.2 for 4.10.x
LTS, 4.8.5 for 4.8.x LTS and 3.22.4 for 3.x releases. Also, users could use
removeHeaders EIP, to filter out anything like 'cAmel, cAMEL' etc, or in
general everything not starting with 'Camel', 'camel' or 'org.apache.camel.'. "
+mitigation: "Users are recommended to upgrade to version 4.10.2 for 4.10.x
LTS, 4.8.5 for 4.8.x LTS and 3.22.4 for 3.x releases. Also, users could use
removeHeaders EIP, to filter out anything like 'cAmel, cAMEL' etc, or in
general everything not starting with 'Camel', 'camel' or 'org.apache.camel.'.
This vulnerability is present in Camel's default incoming header filter, that
allows an attacker to include Camel specific
+headers that for some Camel components can alter the behaviours such as the
camel-bean component, to call another method
+on the bean, than was coded in the application. In the camel-jms component,
then a mallicous header can be used to send
+the message to another queue (on the same broker) than was coded in the
application.
+
+The attacker would need to inject custom headers, such as HTTP protocols. So
if you have Camel applications that are
+directly connected to the internet via HTTP, then an attacker could include
malicious HTTP headers in the HTTP requests
+that are send to the Camel application.
+
+All the known Camel HTTP component such as camel-servlet, camel-jetty,
camel-undertow, camel-platform-http, and camel-netty-http would be vulnerable
out of the box.
+
+In terms of usage of the default header filter strategy the list of components
using that is:
+
+camel-activemq
+camel-activemq6
+camel-amqp
+camel-aws2-sqs
+camel-azure-servicebus
+camel-cxf-rest
+camel-cxf-soap
+camel-http
+camel-jetty
+camel-jms
+camel-kafka
+camel-knative
+camel-mail
+camel-nats
+camel-netty-http
+camel-platform-http
+camel-rest
+camel-servlet
+camel-sjms
+camel-spring-rabbitmq
+camel-stomp
+camel-tahu
+camel-undertow
+camel-xmpp"
credit: "This issue was discovered by Mark Thorson of AT&T"
affected: Apache Camel 4.10.0 before 4.10.2. Apache Camel 4.8.0 before 4.8.5.
Apache Camel 3.10.0 before 3.22.4.
fixed: 3.22.4, 4.8.5 and 4.10.2
diff --git a/content/security/CVE-2025-27636.txt.asc
b/content/security/CVE-2025-27636.txt.asc
index 8ed5635b..942770a0 100644
--- a/content/security/CVE-2025-27636.txt.asc
+++ b/content/security/CVE-2025-27636.txt.asc
@@ -11,7 +11,43 @@ cve: CVE-2025-27636
severity: MODERATE
summary: "Apache Camel-Bean component: Camel Message Header Injection via
Improper Filtering"
description: "This vulnerability is only present in the following situation.
The user is using one of the following HTTP Servers via one the of the
following Camel components: camel-servlet, camel-jetty, camel-undertow,
camel-platform-http and camel-netty-http and in the route, the exchange will be
routed to a camel-bean producer. So ONLY camel-bean component is affected. In
particular: The bean invocation (is only affected if you use any of the above
together with camel-bean component) [...]
-mitigation: "Users are recommended to upgrade to version 4.10.2 for 4.10.x
LTS, 4.8.5 for 4.8.x LTS and 3.22.4 for 3.x releases. Also, users could use
removeHeaders EIP, to filter out anything like 'cAmel, cAMEL' etc, or in
general everything not starting with 'Camel', 'camel' or 'org.apache.camel.'. "
+mitigation: "Users are recommended to upgrade to version 4.10.2 for 4.10.x
LTS, 4.8.5 for 4.8.x LTS and 3.22.4 for 3.x releases. Also, users could use
removeHeaders EIP, to filter out anything like 'cAmel, cAMEL' etc, or in
general everything not starting with 'Camel', 'camel' or 'org.apache.camel.'.
This vulnerability is present in Camel's default incoming header filter, that
allows an attacker to include Camel specific
+headers that for some Camel components can alter the behaviours such as the
camel-bean component, to call another method
+on the bean, than was coded in the application. In the camel-jms component,
then a mallicous header can be used to send
+the message to another queue (on the same broker) than was coded in the
application.
+
+The attacker would need to inject custom headers, such as HTTP protocols. So
if you have Camel applications that are
+directly connected to the internet via HTTP, then an attacker could include
malicious HTTP headers in the HTTP requests
+that are send to the Camel application.
+
+All the known Camel HTTP component such as camel-servlet, camel-jetty,
camel-undertow, camel-platform-http, and camel-netty-http would be vulnerable
out of the box.
+
+In terms of usage of the default header filter strategy the list of components
using that is:
+
+camel-activemq
+camel-activemq6
+camel-amqp
+camel-aws2-sqs
+camel-azure-servicebus
+camel-cxf-rest
+camel-cxf-soap
+camel-http
+camel-jetty
+camel-jms
+camel-kafka
+camel-knative
+camel-mail
+camel-nats
+camel-netty-http
+camel-platform-http
+camel-rest
+camel-servlet
+camel-sjms
+camel-spring-rabbitmq
+camel-stomp
+camel-tahu
+camel-undertow
+camel-xmpp"
credit: "This issue was discovered by Mark Thorson of AT&T"
affected: Apache Camel 4.10.0 before 4.10.2. Apache Camel 4.8.0 before 4.8.5.
Apache Camel 3.10.0 before 3.22.4.
fixed: 3.22.4, 4.8.5 and 4.10.2
@@ -20,12 +56,12 @@ fixed: 3.22.4, 4.8.5 and 4.10.2
The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-21828 refers to
the various commits that resolved the issue, and have more details.
-----BEGIN PGP SIGNATURE-----
-iQEzBAEBCAAdFiEEJ2Y0ButtuvUpHyYV406fOAL/QQAFAmfNmz4ACgkQ406fOAL/
-QQDSyAf/RwNXqO/BjFAXQazhSAXU71/XUBLw+8eL4epas1iluOtEuYDbnKwM2E/1
-ORgQ3noWI8geNE1FPHij0chuDxNyv5N4dYKwTfOXbjDVMBgQj3cQxxjiZxqW7lA5
-ddLoBPcmS8F/UCMhP/HxHQitnTfi2zzcAZrZNZVLVSPUkMcHGMIOc5l6WLkVF1VE
-ehHp+UPupNryG+6/By2SoQGliE2U9pCja/UWSKJie5MzBblsQYaG0CE3n+4WuraU
-ZUQ60r3hOITn2SKnZw+aNrA2JyxgjHrIuG+HdMTBx5TKDCkhoX4ge4to3y7nZ/jo
-dkmW1ESK9gSkpYhlxPdXRdc4m3kVWg==
-=bIz5
+iQEzBAEBCAAdFiEEJ2Y0ButtuvUpHyYV406fOAL/QQAFAmfO0nQACgkQ406fOAL/
+QQCU5AgAqPcA7MznNYjVcSA3EewFNfHjD8qxQY+BxiXUtR9p8yBw/EEvkOavs9od
+iKzV5GhlNsGUGHoGbTMc6RERTrk5uijBm8zA0FCaWuq9YlUreQZX+qnFWAEUi6nI
+lpHXyL1IGLI8WE6iszjk91HTdFr28+f87U3LqmAkKK6PPoeEiq714gxSVjO5BrC7
+gLwzgN3qoCJcTGxWbfpMttAMmHpRt6f+ZxKzQNbv6M0Qd9rbCMqPJ8QyMeZeTZMM
+4oECpBzdLmfFnCZawhIQwtuM1FZ0xfvpwl0rdpDfcGA12OouQPLDS+/vYE7ntN4J
+fV4x0qEmNtxYHeTEzBXzv4C7KiUaEQ==
+=tb1m
-----END PGP SIGNATURE-----
