This is an automated email from the ASF dual-hosted git repository. oscerd pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/camel-website.git
commit 16ea85c46c818db260b0f2124c8e84bccdef1862 Author: Andrea Cosentino <[email protected]> AuthorDate: Fri Jun 19 12:03:03 2026 +0200 Split CVE-2026-49365 to camel-netty-http only and add CVE-2026-56139 (camel-undertow) CVE-2026-49365 covered both camel-netty-http and camel-undertow; narrow it to camel-netty-http and document the same insecure muteException=false default for camel-undertow in a dedicated CVE-2026-56139, including the undertow-only Rest DSL bug (RestUndertowHttpBinding hard-coded muteException to false). Both share the CAMEL-23651 fix (PR apache/camel#23913) and cross-reference each other. Also corrected the 4.18.x/4.14.x backport commit hashes: the published CVE-2026-49365 cited an u [...] Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]> Signed-off-by: Andrea Cosentino <[email protected]> --- content/security/CVE-2026-49365.md | 8 ++++---- content/security/CVE-2026-49365.txt.asc | 24 ++++++++++++------------ content/security/CVE-2026-56139.md | 17 +++++++++++++++++ content/security/CVE-2026-56139.txt.asc | 31 +++++++++++++++++++++++++++++++ 4 files changed, 64 insertions(+), 16 deletions(-) diff --git a/content/security/CVE-2026-49365.md b/content/security/CVE-2026-49365.md index 664f1673..911531fe 100644 --- a/content/security/CVE-2026-49365.md +++ b/content/security/CVE-2026-49365.md @@ -6,12 +6,12 @@ draft: false type: security-advisory cve: CVE-2026-49365 severity: MEDIUM -summary: "Camel-Netty-HTTP and Camel-Undertow: The muteException consumer option defaulted to false, so a processing error returned the full Java stack trace in the HTTP response body, disclosing sensitive internal information to unauthenticated clients" -description: "The camel-netty-http and camel-undertow HTTP server consumers expose a muteException option that controls what is returned to the client when a route processing error occurs. In both components this option defaulted to false - in camel-netty-http because the backing field was an uninitialised primitive boolean (Java's default of false), and in camel-undertow likewise - whereas the other Camel HTTP server components (camel-http / camel-jetty / camel-servlet and camel-platfor [...] -mitigation: "Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. For deployments that cannot upgrade immediately, set muteException=true explicitly on the camel-netty-http and camel-undertow consumers (for example netty-http:http://0.0.0.0:8080/api?muteException=true, or globally via [...] +summary: "Camel-Netty-HTTP: The muteException consumer option defaulted to false, so a processing error returned the full Java stack trace in the HTTP response body, disclosing sensitive internal information to unauthenticated clients" +description: "The camel-netty-http HTTP server consumer exposes a muteException option that controls what is returned to the client when a route processing error occurs. This option defaulted to false because the backing field was an uninitialised primitive boolean (Java's default of false), whereas the other Camel HTTP server components (camel-http / camel-jetty / camel-servlet and camel-platform-http) default it to true. With muteException=false, when a request triggers an exception du [...] +mitigation: "Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. For deployments that cannot upgrade immediately, set muteException=true explicitly on the camel-netty-http consumer (for example netty-http:http://0.0.0.0:8080/api?muteException=true, or globally via the camel.component. [...] credit: "This issue was discovered by Yu Bao from PayPal" affected: "From 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0." fixed: 4.14.8, 4.18.3 and 4.21.0 --- -The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-23651 refers to the various commits that resolved the issue, and have more details. The fix was merged on main in https://github.com/apache/camel/pull/23913 (commit 6cea553aa42ed1326ac57ad800d66674bc453932) and backported to camel-4.18.x (commit 1bd7389bd244da719404cf66d5b3676d41498bec) and camel-4.14.x (commit d3a13956ad2fd7280ad3ab678d79caf3bd0b4661). The fix aligns the muteException consumer-option default in camel-netty-htt [...] +The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-23651 refers to the various commits that resolved the issue, and have more details. The fix was merged on main in https://github.com/apache/camel/pull/23913 (commit 6cea553aa42ed1326ac57ad800d66674bc453932) and backported to camel-4.18.x (commit fdcf67a00470783ccb93b948883b6a4c5275aff5) and camel-4.14.x (commit b1badb58a407e4d16c8b6bba81650d4c68e55eaf). The fix aligns the muteException consumer-option default in camel-netty-htt [...] diff --git a/content/security/CVE-2026-49365.txt.asc b/content/security/CVE-2026-49365.txt.asc index e01c1331..a702dfbc 100644 --- a/content/security/CVE-2026-49365.txt.asc +++ b/content/security/CVE-2026-49365.txt.asc @@ -9,23 +9,23 @@ draft: false type: security-advisory cve: CVE-2026-49365 severity: MEDIUM -summary: "Camel-Netty-HTTP and Camel-Undertow: The muteException consumer option defaulted to false, so a processing error returned the full Java stack trace in the HTTP response body, disclosing sensitive internal information to unauthenticated clients" -description: "The camel-netty-http and camel-undertow HTTP server consumers expose a muteException option that controls what is returned to the client when a route processing error occurs. In both components this option defaulted to false - in camel-netty-http because the backing field was an uninitialised primitive boolean (Java's default of false), and in camel-undertow likewise - whereas the other Camel HTTP server components (camel-http / camel-jetty / camel-servlet and camel-platfor [...] -mitigation: "Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. For deployments that cannot upgrade immediately, set muteException=true explicitly on the camel-netty-http and camel-undertow consumers (for example netty-http:http://0.0.0.0:8080/api?muteException=true, or globally via [...] +summary: "Camel-Netty-HTTP: The muteException consumer option defaulted to false, so a processing error returned the full Java stack trace in the HTTP response body, disclosing sensitive internal information to unauthenticated clients" +description: "The camel-netty-http HTTP server consumer exposes a muteException option that controls what is returned to the client when a route processing error occurs. This option defaulted to false because the backing field was an uninitialised primitive boolean (Java's default of false), whereas the other Camel HTTP server components (camel-http / camel-jetty / camel-servlet and camel-platform-http) default it to true. With muteException=false, when a request triggers an exception du [...] +mitigation: "Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. For deployments that cannot upgrade immediately, set muteException=true explicitly on the camel-netty-http consumer (for example netty-http:http://0.0.0.0:8080/api?muteException=true, or globally via the camel.component. [...] credit: "This issue was discovered by Yu Bao from PayPal" affected: "From 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0." fixed: 4.14.8, 4.18.3 and 4.21.0 - --- -The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-23651 refers to the various commits that resolved the issue, and have more details. The fix was merged on main in https://github.com/apache/camel/pull/23913 (commit 6cea553aa42ed1326ac57ad800d66674bc453932) and backported to camel-4.18.x (commit 1bd7389bd244da719404cf66d5b3676d41498bec) and camel-4.14.x (commit d3a13956ad2fd7280ad3ab678d79caf3bd0b4661). The fix aligns the muteException consumer-option default in camel-netty-htt [...] +The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-23651 refers to the various commits that resolved the issue, and have more details. The fix was merged on main in https://github.com/apache/camel/pull/23913 (commit 6cea553aa42ed1326ac57ad800d66674bc453932) and backported to camel-4.18.x (commit fdcf67a00470783ccb93b948883b6a4c5275aff5) and camel-4.14.x (commit b1badb58a407e4d16c8b6bba81650d4c68e55eaf). The fix aligns the muteException consumer-option default in camel-netty-htt [...] -----BEGIN PGP SIGNATURE----- -iQEzBAEBCgAdFiEEJ2Y0ButtuvUpHyYV406fOAL/QQAFAmoyo1oACgkQ406fOAL/ -QQBrwQgAi6I2aggOCjyAMMi0SNscu+VFqJI/MdIiFJnW+A2KVh4GGeui2jrMcg2t -71OlDX+fQkmMBVhZQX4RfB4yfqBcXXSKWxdvfiTWuFU8uLGFZ31TSmYo51nnj37E -xDsNoa7DQ4ZJjpxud0AqV80+Mpb/vkxr1MxcM9Qloj8HHR80gWR9c/WmNayfIvlv -cCX41FsrSFOJpvfwA1bibq6AongRAI6yrtgBzTpd/SUqM3gGe2CVKE6nXi1ZQ2WN -y4JL+OoHYvPMQV+YsrCPGkyQRDOkVwzRW9ii7scOa1jUUnHQVqgBWFn8KFrIRoaZ -jM5883ZFwq0eDs3yXPfaqF0cHiEOSA== -=vOpR +iQEzBAEBCgAdFiEEJ2Y0ButtuvUpHyYV406fOAL/QQAFAmo1E5cACgkQ406fOAL/ +QQDr4wf/QKxsfZDpVylUF6yiQpLRf5y+NLF4TKSBHz3sLS91IQElXrQg+pC4UTVJ +O22HkUXt9ViMh1zff8ZR9qrBcqmmtx/ndLOMTiXxMpmXMIToapNSUEpVYVlmVKfU +PLMKhDQWKF1aWDDqP1S5SN8cEvny4WcsCdI7vBHuuHdI/6cEv5NShHXC0XKfyOMB +dMy+kPxukIKdFbsc2wNk1JJ6cvkpVFwh1MyMmpGYrTdjQ7okVMD3OZkYrWFgiTXI +EQIaoENSM5mfk4V1EFeUW9BQvyOfd139v5qP5alW6Dhl/KLccMJq64COAwpGHpGz +eqBKKuroW7UjPy8hF9ui2r7H/6+PKg== +=e1/w -----END PGP SIGNATURE----- diff --git a/content/security/CVE-2026-56139.md b/content/security/CVE-2026-56139.md new file mode 100644 index 00000000..b4254118 --- /dev/null +++ b/content/security/CVE-2026-56139.md @@ -0,0 +1,17 @@ +--- +title: "Apache Camel Security Advisory - CVE-2026-56139" +date: 2026-06-18T10:00:00+02:00 +url: /security/CVE-2026-56139.html +draft: false +type: security-advisory +cve: CVE-2026-56139 +severity: MEDIUM +summary: "Camel-Undertow: The muteException consumer option defaulted to false, so a processing error returned the full Java stack trace in the HTTP response body, disclosing sensitive internal information to unauthenticated clients - and the option was not honoured at all for Rest DSL consumers" +description: "The camel-undertow HTTP server consumer exposes a muteException option that controls what is returned to the client when a route processing error occurs. This option defaulted to false, whereas the other Camel HTTP server components (camel-http / camel-jetty / camel-servlet and camel-platform-http) default it to true. With muteException=false, when a request triggers an exception during route processing the consumer writes the full Throwable stack trace into the HTTP respon [...] +mitigation: "Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. For deployments that cannot upgrade immediately, set muteException=true explicitly on the camel-undertow consumer (for example undertow:http://0.0.0.0:8080/api?muteException=true, or globally via the camel.component.unde [...] +credit: "This issue was discovered by Yu Bao from PayPal" +affected: "From 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0." +fixed: 4.14.8, 4.18.3 and 4.21.0 +--- + +The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-23651 refers to the various commits that resolved the issue, and have more details. The fix was merged on main in https://github.com/apache/camel/pull/23913 (commit 6cea553aa42ed1326ac57ad800d66674bc453932) and backported to camel-4.18.x (commit fdcf67a00470783ccb93b948883b6a4c5275aff5) and camel-4.14.x (commit b1badb58a407e4d16c8b6bba81650d4c68e55eaf). The fix aligns the muteException consumer-option default in camel-undertow [...] diff --git a/content/security/CVE-2026-56139.txt.asc b/content/security/CVE-2026-56139.txt.asc new file mode 100644 index 00000000..e809117e --- /dev/null +++ b/content/security/CVE-2026-56139.txt.asc @@ -0,0 +1,31 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +- --- +title: "Apache Camel Security Advisory - CVE-2026-56139" +date: 2026-06-18T10:00:00+02:00 +url: /security/CVE-2026-56139.html +draft: false +type: security-advisory +cve: CVE-2026-56139 +severity: MEDIUM +summary: "Camel-Undertow: The muteException consumer option defaulted to false, so a processing error returned the full Java stack trace in the HTTP response body, disclosing sensitive internal information to unauthenticated clients - and the option was not honoured at all for Rest DSL consumers" +description: "The camel-undertow HTTP server consumer exposes a muteException option that controls what is returned to the client when a route processing error occurs. This option defaulted to false, whereas the other Camel HTTP server components (camel-http / camel-jetty / camel-servlet and camel-platform-http) default it to true. With muteException=false, when a request triggers an exception during route processing the consumer writes the full Throwable stack trace into the HTTP respon [...] +mitigation: "Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. For deployments that cannot upgrade immediately, set muteException=true explicitly on the camel-undertow consumer (for example undertow:http://0.0.0.0:8080/api?muteException=true, or globally via the camel.component.unde [...] +credit: "This issue was discovered by Yu Bao from PayPal" +affected: "From 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0." +fixed: 4.14.8, 4.18.3 and 4.21.0 +- --- + +The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-23651 refers to the various commits that resolved the issue, and have more details. The fix was merged on main in https://github.com/apache/camel/pull/23913 (commit 6cea553aa42ed1326ac57ad800d66674bc453932) and backported to camel-4.18.x (commit fdcf67a00470783ccb93b948883b6a4c5275aff5) and camel-4.14.x (commit b1badb58a407e4d16c8b6bba81650d4c68e55eaf). The fix aligns the muteException consumer-option default in camel-undertow [...] +-----BEGIN PGP SIGNATURE----- + +iQEzBAEBCgAdFiEEJ2Y0ButtuvUpHyYV406fOAL/QQAFAmo1E58ACgkQ406fOAL/ +QQBAOQf/RSFXBJ5nNKE5+o2MNyGPPne7TK2Wfps1sR3djZs2nUJqqH4NuQBHVZVC +ZcYaA5hV6qDEt3iDmyWhYT8fpMnwzXjwB0dw2Q7c3YE7Nxymngj29fj/8AXwCr6Z +sao1h/JunTXwKEqMiejS40jkDkxjduRcnbygMDfcXtph9kt67sq+BK7yvSSiaseN +1yld++Yfexh9v661odDX+pmo1MK3aERbERY2Q/h0XGKBmfKEf+P4lNa1lIBBF6XW +e2IoFgnWFGa58hadnXl1coquRRqAnloBUpikkqdpexpSfgUMiVBh2ZCFOUW/Bu+1 +Sv0VLyP64j0RSnyD4M8GINbIs5mZIQ== +=Asqi +-----END PGP SIGNATURE-----
