This is an automated email from the ASF dual-hosted git repository.

oscerd pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/camel-website.git

commit 1936adf3581cb56502ba25aa5282fbd4d0cfd024
Author: Andrea Cosentino <[email protected]>
AuthorDate: Mon Jun 15 12:27:05 2026 +0200

    Added CVE-2026-40859
    
    Signed-off-by: Andrea Cosentino <[email protected]>
---
 content/security/CVE-2026-40859.md      | 17 +++++++++++++++++
 content/security/CVE-2026-40859.txt.asc | 31 +++++++++++++++++++++++++++++++
 2 files changed, 48 insertions(+)

diff --git a/content/security/CVE-2026-40859.md 
b/content/security/CVE-2026-40859.md
new file mode 100644
index 00000000..331bcb8d
--- /dev/null
+++ b/content/security/CVE-2026-40859.md
@@ -0,0 +1,17 @@
+---
+title: "Apache Camel Security Advisory - CVE-2026-40859"
+date: 2026-06-09T10:00:00+02:00
+url: /security/CVE-2026-40859.html
+draft: false
+type: security-advisory
+cve: CVE-2026-40859
+severity: MEDIUM
+summary: "Apache Camel: Camel-Vertx-Http and Camel-Netty-Http: Unsafe Java 
deserialization of HTTP response bodies via a raw ObjectInputStream when 
transferException is enabled"
+description: "The camel-vertx-http and camel-netty-http components deserialize 
HTTP response bodies carrying the Content-Type 
application/x-java-serialized-object using a raw java.io.ObjectInputStream, 
without applying any ObjectInputFilter 
(VertxHttpHelper.deserializeJavaObjectFromStream and 
NettyHttpHelper.deserializeJavaObjectFromStream). This deserialization path is 
reached only when the producer endpoint is configured with 
transferException=true (or the component-level allowJavaSeri [...]
+mitigation: "Users are recommended to upgrade to version 4.20.0, which fixes 
the issue. If users are on the 4.14.x LTS releases stream, then they are 
suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, 
then they are suggested to upgrade to 4.18.3. After upgrading, the 
deserialization performed by both helper utilities is constrained by a default 
ObjectInputFilter (allow-list java.**;javax.**;org.apache.camel.**;!*), which 
can be customised through the new deserial [...]
+credit: "This issue was discovered by Venkatraman Kumar from Securin"
+affected: "From 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 
before 4.20.0."
+fixed: 4.14.8, 4.18.3 and 4.20.0
+---
+
+The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-23324 refers to 
the various commits that resolved the issue, and have more details. The fix was 
merged on main in https://github.com/apache/camel/pull/22613 (commit 
e735f56b4bcae040a6a113a83bf08d41b8696c43, released in 4.20.0) and backported to 
camel-4.18.x (commit a3835afef108fef9eaf04165faed91784889407f, PR #22637) and 
camel-4.14.x (commit 04019cf90a4b09e263d2df4ad4cacea85a9d72ee, PR #22768). 
Exploitation requires the non-def [...]
diff --git a/content/security/CVE-2026-40859.txt.asc 
b/content/security/CVE-2026-40859.txt.asc
new file mode 100644
index 00000000..49dada4d
--- /dev/null
+++ b/content/security/CVE-2026-40859.txt.asc
@@ -0,0 +1,31 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+- ---
+title: "Apache Camel Security Advisory - CVE-2026-40859"
+date: 2026-06-09T10:00:00+02:00
+url: /security/CVE-2026-40859.html
+draft: false
+type: security-advisory
+cve: CVE-2026-40859
+severity: MEDIUM
+summary: "Apache Camel: Camel-Vertx-Http and Camel-Netty-Http: Unsafe Java 
deserialization of HTTP response bodies via a raw ObjectInputStream when 
transferException is enabled"
+description: "The camel-vertx-http and camel-netty-http components deserialize 
HTTP response bodies carrying the Content-Type 
application/x-java-serialized-object using a raw java.io.ObjectInputStream, 
without applying any ObjectInputFilter 
(VertxHttpHelper.deserializeJavaObjectFromStream and 
NettyHttpHelper.deserializeJavaObjectFromStream). This deserialization path is 
reached only when the producer endpoint is configured with 
transferException=true (or the component-level allowJavaSeri [...]
+mitigation: "Users are recommended to upgrade to version 4.20.0, which fixes 
the issue. If users are on the 4.14.x LTS releases stream, then they are 
suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, 
then they are suggested to upgrade to 4.18.3. After upgrading, the 
deserialization performed by both helper utilities is constrained by a default 
ObjectInputFilter (allow-list java.**;javax.**;org.apache.camel.**;!*), which 
can be customised through the new deserial [...]
+credit: "This issue was discovered by Venkatraman Kumar from Securin"
+affected: "From 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 
before 4.20.0."
+fixed: 4.14.8, 4.18.3 and 4.20.0
+- ---
+
+The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-23324 refers to 
the various commits that resolved the issue, and have more details. The fix was 
merged on main in https://github.com/apache/camel/pull/22613 (commit 
e735f56b4bcae040a6a113a83bf08d41b8696c43, released in 4.20.0) and backported to 
camel-4.18.x (commit a3835afef108fef9eaf04165faed91784889407f, PR #22637) and 
camel-4.14.x (commit 04019cf90a4b09e263d2df4ad4cacea85a9d72ee, PR #22768). 
Exploitation requires the non-def [...]
+-----BEGIN PGP SIGNATURE-----
+
+iQEzBAEBCgAdFiEEJ2Y0ButtuvUpHyYV406fOAL/QQAFAmovy7sACgkQ406fOAL/
+QQDUsgf/VKtr0Ly6x5Hfj7x0Dpn3ZUJaSKW6Zk4pFpYstbxHXj5xKaHi4839gtJN
+ygGgz9x7nQuRdsuAMZgeZb923OM2X87O4EyX+sNqAkDlSijMN3VNVgMyt4Wi5fbb
+NlCaWTRVwcUoEfkuYm68wVXxfkO5ecbvJ06BmCL0fU1rVfSLWjHv3jWWMUYosneW
+BdZ0f3L7iJaGxC/SldSxespbIx2q6STo1nRF6u9zb2BXGhA1tq5+ztXssd2eKB/z
+32YPpog5R4ptnliA228FWR8Nr+m9mVjgfsKVgJT+fhGTiwVzln2KT+cueqmnvmsQ
+lRSPYRYDNabYquXxH0AfJWgGWL/uMQ==
+=RXFq
+-----END PGP SIGNATURE-----

Reply via email to