This is an automated email from the ASF dual-hosted git repository.

oscerd pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/camel-website.git


The following commit(s) were added to refs/heads/main by this push:
     new d52ccb28 Added CVE-2026-43866 (#1687)
d52ccb28 is described below

commit d52ccb280d889c7674d0467246f548edb2397f8b
Author: Andrea Cosentino <[email protected]>
AuthorDate: Sun Jul 5 16:03:16 2026 +0200

    Added CVE-2026-43866 (#1687)
    
    Signed-off-by: Andrea Cosentino <[email protected]>
---
 content/security/CVE-2026-43866.md      | 17 +++++++++++++++++
 content/security/CVE-2026-43866.txt.asc | 31 +++++++++++++++++++++++++++++++
 2 files changed, 48 insertions(+)

diff --git a/content/security/CVE-2026-43866.md 
b/content/security/CVE-2026-43866.md
new file mode 100644
index 00000000..f7b7f9b4
--- /dev/null
+++ b/content/security/CVE-2026-43866.md
@@ -0,0 +1,17 @@
+---
+title: "Apache Camel Security Advisory - CVE-2026-43866"
+date: 2026-07-05T10:00:00+02:00
+url: /security/CVE-2026-43866.html
+draft: false
+type: security-advisory
+cve: CVE-2026-43866
+severity: HIGH
+summary: "Camel JMS deserialization filter bypass: a forged 
DefaultExchangeHolder carried in a JMS ObjectMessage passes the CVE-2026-40860 
class check and is unmarshalled into the Exchange, letting an attacker who can 
publish an ObjectMessage inject the message body, headers, exchange properties, 
variables and exception"
+description: "JmsBinding.extractBodyFromJms() in camel-jms - and the 
equivalent JmsBinding in camel-sjms - deserializes the payload of an incoming 
JMS ObjectMessage via jakarta.jms.ObjectMessage.getObject() whenever the 
mapJmsMessage option is enabled (the default) and Camel acts as a JMS consumer. 
The CVE-2026-40860 hardening added a post-deserialization class check that 
rejects classes outside the default allow-list 
java.**;javax.**;org.apache.camel.**;!*. However org.apache.camel.supp [...]
+mitigation: "Users are recommended to upgrade to version 4.21.0, which fixes 
the issue. If users are on the 4.14.x LTS releases stream, then they are 
suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, 
then they are suggested to upgrade to 4.18.3. After upgrading, JMS 
ObjectMessage handling is disabled by default in camel-jms, camel-sjms and the 
JMS-family components (a new objectMessageEnabled option defaults to false at 
the component and endpoint level), so an i [...]
+credit: "This issue was discovered by gaorenyusi"
+affected: "From 3.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 
before 4.21.0."
+fixed: 4.14.8, 4.18.3 and 4.21.0
+---
+
+The JIRA tickets: https://issues.apache.org/jira/browse/CAMEL-23373 
(camel-jms) and https://issues.apache.org/jira/browse/CAMEL-23409 (camel-sjms) 
refer to the various commits that resolved the issue, and have more details. 
The camel-jms fix was merged on main in 
https://github.com/apache/camel/pull/22866 (commit 
6cb29c0bbd7d1c46f057eac46c4afa62c9f5e00f) and backported to camel-4.18.x 
(commit 844bbf8c894c5e2bfa023579db80dcd3354c0e1b) and camel-4.14.x (commit 
75d7991b89265a2e8e62c7207165d [...]
diff --git a/content/security/CVE-2026-43866.txt.asc 
b/content/security/CVE-2026-43866.txt.asc
new file mode 100644
index 00000000..61492163
--- /dev/null
+++ b/content/security/CVE-2026-43866.txt.asc
@@ -0,0 +1,31 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+- ---
+title: "Apache Camel Security Advisory - CVE-2026-43866"
+date: 2026-07-05T10:00:00+02:00
+url: /security/CVE-2026-43866.html
+draft: false
+type: security-advisory
+cve: CVE-2026-43866
+severity: HIGH
+summary: "Camel JMS deserialization filter bypass: a forged 
DefaultExchangeHolder carried in a JMS ObjectMessage passes the CVE-2026-40860 
class check and is unmarshalled into the Exchange, letting an attacker who can 
publish an ObjectMessage inject the message body, headers, exchange properties, 
variables and exception"
+description: "JmsBinding.extractBodyFromJms() in camel-jms - and the 
equivalent JmsBinding in camel-sjms - deserializes the payload of an incoming 
JMS ObjectMessage via jakarta.jms.ObjectMessage.getObject() whenever the 
mapJmsMessage option is enabled (the default) and Camel acts as a JMS consumer. 
The CVE-2026-40860 hardening added a post-deserialization class check that 
rejects classes outside the default allow-list 
java.**;javax.**;org.apache.camel.**;!*. However org.apache.camel.supp [...]
+mitigation: "Users are recommended to upgrade to version 4.21.0, which fixes 
the issue. If users are on the 4.14.x LTS releases stream, then they are 
suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, 
then they are suggested to upgrade to 4.18.3. After upgrading, JMS 
ObjectMessage handling is disabled by default in camel-jms, camel-sjms and the 
JMS-family components (a new objectMessageEnabled option defaults to false at 
the component and endpoint level), so an i [...]
+credit: "This issue was discovered by gaorenyusi"
+affected: "From 3.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 
before 4.21.0."
+fixed: 4.14.8, 4.18.3 and 4.21.0
+- ---
+
+The JIRA tickets: https://issues.apache.org/jira/browse/CAMEL-23373 
(camel-jms) and https://issues.apache.org/jira/browse/CAMEL-23409 (camel-sjms) 
refer to the various commits that resolved the issue, and have more details. 
The camel-jms fix was merged on main in 
https://github.com/apache/camel/pull/22866 (commit 
6cb29c0bbd7d1c46f057eac46c4afa62c9f5e00f) and backported to camel-4.18.x 
(commit 844bbf8c894c5e2bfa023579db80dcd3354c0e1b) and camel-4.14.x (commit 
75d7991b89265a2e8e62c7207165d [...]
+-----BEGIN PGP SIGNATURE-----
+
+iQEzBAEBCgAdFiEEJ2Y0ButtuvUpHyYV406fOAL/QQAFAmpKV6QACgkQ406fOAL/
+QQCE/gf/dBklKhHpK3THpOHwBLf+U8rUmDKfMukNKNu0NwLjoCTkSq+JZcJKrK+1
+tM7xUgccn1Uu6JkSgI08tZmBxMoxwE54mg6FqXIO/Q64l7c2t/Xh9oIZ4+vHnuZg
+LYRINlSPoneE6nWM23mE+WTLqvYfQy6d6gREsixqmVi/aVljSP5gnMbDr+pZX0Vh
++20VB2xpDet7X5jIF0a55bUEv4YxT+XL5q0bd8wQ4+Dbxq/M2FVmA1n/1nJz7e6/
+Be8TnrQok2GvUcSVkaYiXf+WI0Urmy4WhaUUBQu2OZVbsg/RcIx4E5iqgJK83OVq
+iTy2AEqX11MIftQqMvZlhEUOkDVrog==
+=lt55
+-----END PGP SIGNATURE-----

Reply via email to