This is an automated email from the ASF dual-hosted git repository. oscerd pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/camel-website.git
commit e25ac7c785664ae745680b3ce6cf3b3d0fd3f98a Author: Andrea Cosentino <[email protected]> AuthorDate: Mon Jun 15 12:27:05 2026 +0200 Added CVE-2026-42527 Signed-off-by: Andrea Cosentino <[email protected]> --- content/security/CVE-2026-42527.md | 19 +++++++++++++++++++ content/security/CVE-2026-42527.txt.asc | 33 +++++++++++++++++++++++++++++++++ 2 files changed, 52 insertions(+) diff --git a/content/security/CVE-2026-42527.md b/content/security/CVE-2026-42527.md new file mode 100644 index 00000000..e56f0dde --- /dev/null +++ b/content/security/CVE-2026-42527.md @@ -0,0 +1,19 @@ +--- +title: "Apache Camel Security Advisory - CVE-2026-42527" +date: 2026-04-29T10:00:00+02:00 +url: /security/CVE-2026-42527.html +draft: false +type: security-advisory +cve: CVE-2026-42527 +severity: MEDIUM +summary: "Permissive default ObjectInputFilter pattern admits java.net.** and enables DNS-based information disclosure" +description: "The default ObjectInputFilter pattern shipped with several Apache Camel components for defense-in-depth deserialization filtering ('java.**;javax.**;org.apache.camel.**;!*', or the no-'javax.**' variant in the aggregation-repository components) uses a recursive 'java.**' glob that admits classes whose hashCode/equals/readObject methods perform network I/O, notably java.net.URL and java.net.InetAddress. When an attacker can deliver a Java-serialized payload to an affected Ca [...] +mitigation: "Users are recommended to upgrade to a version that contains the CAMEL-23372 fix once available: 4.21.0 for the 4.21.x line, 4.18.3 for the 4.18.x line, and 4.14.8 for the 4.14.x line. For deployments that cannot upgrade immediately, configure a JMS-provider-side allow-list (Apache ActiveMQ Artemis 'deserializationAllowList' / 'deserializationDenyList', Apache ActiveMQ Classic 'org.apache.activemq.SERIALIZABLE_PACKAGES') as the primary mitigation, and/or override the in-code [...] +credit: "This vulnerability was reported by Venkatraman Kumar from Securin and Yu Bao from Paypal" +affected: "Apache Camel 4.14.0 through 4.14.7 (4.14.x line). Apache Camel 4.18.0 through 4.18.2 (4.18.x line). Apache Camel 4.20.0." +fixed: "4.14.8, 4.18.3, 4.21.0." +--- + +The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-23372 refers to the commits that resolved the issue, and has more details. + +The defective default deserialization filter was introduced by the CAMEL-23297, CAMEL-23319, CAMEL-23321, CAMEL-23322, and CAMEL-23324 hardening series. The fix was merged on main in https://github.com/apache/camel/pull/22801 (commit 1b60801edf9864465db7abf391539ee425a53e2c). Backports are tracked in https://github.com/apache/camel/pull/22813 (camel-4.18.x) and https://github.com/apache/camel/pull/22815 (camel-4.14.x). diff --git a/content/security/CVE-2026-42527.txt.asc b/content/security/CVE-2026-42527.txt.asc new file mode 100644 index 00000000..3fcfc109 --- /dev/null +++ b/content/security/CVE-2026-42527.txt.asc @@ -0,0 +1,33 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +- --- +title: "Apache Camel Security Advisory - CVE-2026-42527" +date: 2026-04-29T10:00:00+02:00 +url: /security/CVE-2026-42527.html +draft: false +type: security-advisory +cve: CVE-2026-42527 +severity: MEDIUM +summary: "Permissive default ObjectInputFilter pattern admits java.net.** and enables DNS-based information disclosure" +description: "The default ObjectInputFilter pattern shipped with several Apache Camel components for defense-in-depth deserialization filtering ('java.**;javax.**;org.apache.camel.**;!*', or the no-'javax.**' variant in the aggregation-repository components) uses a recursive 'java.**' glob that admits classes whose hashCode/equals/readObject methods perform network I/O, notably java.net.URL and java.net.InetAddress. When an attacker can deliver a Java-serialized payload to an affected Ca [...] +mitigation: "Users are recommended to upgrade to a version that contains the CAMEL-23372 fix once available: 4.21.0 for the 4.21.x line, 4.18.3 for the 4.18.x line, and 4.14.8 for the 4.14.x line. For deployments that cannot upgrade immediately, configure a JMS-provider-side allow-list (Apache ActiveMQ Artemis 'deserializationAllowList' / 'deserializationDenyList', Apache ActiveMQ Classic 'org.apache.activemq.SERIALIZABLE_PACKAGES') as the primary mitigation, and/or override the in-code [...] +credit: "This vulnerability was reported by Venkatraman Kumar from Securin and Yu Bao from Paypal" +affected: "Apache Camel 4.14.0 through 4.14.7 (4.14.x line). Apache Camel 4.18.0 through 4.18.2 (4.18.x line). Apache Camel 4.20.0." +fixed: "4.14.8, 4.18.3, 4.21.0." +- --- + +The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-23372 refers to the commits that resolved the issue, and has more details. + +The defective default deserialization filter was introduced by the CAMEL-23297, CAMEL-23319, CAMEL-23321, CAMEL-23322, and CAMEL-23324 hardening series. The fix was merged on main in https://github.com/apache/camel/pull/22801 (commit 1b60801edf9864465db7abf391539ee425a53e2c). Backports are tracked in https://github.com/apache/camel/pull/22813 (camel-4.18.x) and https://github.com/apache/camel/pull/22815 (camel-4.14.x). +-----BEGIN PGP SIGNATURE----- + +iQEzBAEBCgAdFiEEJ2Y0ButtuvUpHyYV406fOAL/QQAFAmovy8AACgkQ406fOAL/ +QQATAgf+KdLIL11FnB26cqHefC0vLJEF2FZpkaWrdGwJE35DRhcTeKZJEGOsifww +yUuV3J8eM8mR+Iy+2QDPs/ucOYLWXum6Wrtn4pkqU4Z391hOtsQm0Y3ojMVNTuxe +qr1CDxSK5fhF2t0OVY48Iekqfq9tfF5tgwgCKUS5P3JTjD1i+MDHv7tUQSl8f0T1 +eBcFx2sBx2GZnApSaK2GnMN2p3LrCYDH0cZGyT1As2BiQ/cbprf1KjuRs75MTAy0 +UNyMUJc9UsBTvlJc/vIdGZNw7rLdewfr9j2Dl74kYpX9FEDYMqt0K8oxURDec1AN +A7VpSqo3LFVbDdzURHzjp468Qctszg== +=3RgU +-----END PGP SIGNATURE-----
