oscerd opened a new pull request, #1687:
URL: https://github.com/apache/camel-website/pull/1687

   Adds the security advisory page for **CVE-2026-43866** — a bypass of the 
[CVE-2026-40860](https://camel.apache.org/security/CVE-2026-40860.html) JMS 
`ObjectMessage` deserialization class-filter.
   
   A forged `org.apache.camel.support.DefaultExchangeHolder` carried inside a 
JMS `ObjectMessage` sits inside the trusted `org.apache.camel.**` allow-list, 
so it passes the `checkDeserializedClass()` check added by CVE-2026-40860. The 
receiving side then unmarshals it into the Exchange without requiring the 
`transferExchange` option — an asymmetric trust boundary — letting anyone able 
to publish an `ObjectMessage` to a consumed queue or topic inject the message 
body, headers, exchange properties, variables and exception, using only 
universally-trusted `java.lang`/`java.util` types (no deserialization gadget 
chain required).
   
   **Details**
   - Severity: **HIGH**
   - Reporter: gaorenyusi
   - Affected components: `camel-jms`, `camel-sjms`, `camel-sjms2`, 
`camel-amqp`, `camel-activemq`, `camel-activemq6`
   - Fixed in: **4.14.8, 4.18.3, 4.21.0** — via 
[CAMEL-23373](https://issues.apache.org/jira/browse/CAMEL-23373) (camel-jms) 
and [CAMEL-23409](https://issues.apache.org/jira/browse/CAMEL-23409) 
(camel-sjms), which disable JMS `ObjectMessage` handling by default (new 
`objectMessageEnabled` option, default `false`)
   - CWE-502 (Deserialization of Untrusted Data), CWE-20 (Improper Input 
Validation)
   
   **Files**
   - `content/security/CVE-2026-43866.md` — Hugo advisory source
   - `content/security/CVE-2026-43866.txt.asc` — clearsigned plaintext (key 
`E34E9F3802FF4100`)
   
   > ⚠️ **Hold merge until Apache Camel 4.14.8 / 4.18.3 / 4.21.0 are 
released.** The fixes are already merged, but those versions are not yet cut; 
the advisory should only go live once the fixed releases are available for 
users to upgrade to.
   
   ---
   _Advisory drafted by Claude Code on behalf of Andrea Cosentino._
   
   🤖 Generated with [Claude Code](https://claude.com/claude-code)
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to