You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@camel.apache.org by bu...@apache.org on 2017/03/16 09:19:42 UTC
svn commit: r1008420 - in /websites/production/camel/content:
cache/main.pageCache security-advisories.data/CVE-2017-5643.txt.asc
security-advisories.html
Author: buildbot
Date: Thu Mar 16 09:19:41 2017
New Revision: 1008420
Log:
Production update by buildbot for camel
Added:
websites/production/camel/content/security-advisories.data/CVE-2017-5643.txt.asc
Modified:
websites/production/camel/content/cache/main.pageCache
websites/production/camel/content/security-advisories.html
Modified: websites/production/camel/content/cache/main.pageCache
==============================================================================
Binary files - no diff available.
Added: websites/production/camel/content/security-advisories.data/CVE-2017-5643.txt.asc
==============================================================================
--- websites/production/camel/content/security-advisories.data/CVE-2017-5643.txt.asc (added)
+++ websites/production/camel/content/security-advisories.data/CVE-2017-5643.txt.asc Thu Mar 16 09:19:41 2017
@@ -0,0 +1,30 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA1
+
+CVE-2017-5643: Apache Camel's Validation Component is vulnerable against SSRF via remote DTDs and XXE.
+
+Severity: MEDIUM
+
+Vendor: The Apache Software Foundation
+
+Versions Affected: Camel 2.17.0 to 2.17.5, Camel 2.18.0 to 2.18.2
+The unsupported Camel 2.x (2.16 and earlier) versions may be also affected.
+
+Description: The Validation Component of Apache Camel evaluates DTD headers of XML stream sources, although a validation against XML schemas (XSD) is executed. Remote attackers can use this feature to make Server-Side Request Forgery (SSRF) attacks by sending XML documents with remote DTDs URLs or XML External Entities (XXE). The vulnerability is not given for SAX or StAX sources.
+
+Mitigation: 2.17.x users should upgrade to 2.17.6, 2.18.x users should upgrade to 2.18.3.
+
+The JIRA tickets https://issues.apache.org/jira/browse/CAMEL-10894 refers to the various commits that resolved the issue, and have more details.
+
+Credit: This issue was discovered by Franz Forsthofer
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.0.22 (GNU/Linux)
+
+iQEcBAEBAgAGBQJYykp3AAoJEONOnzgC/0EAW1IH+gK4vn5vD+Nve0BWGjMwi7ja
+37HH89UdViakH44YBhUObxXrZ+zAJ53fSuXhorcH8zT8hSdgIhuSkhvMKfWfSr5t
+pVAh2sNLO8Mnpv/8K2HZ8QVL5RuaYdDcI19TAYO2iSrxI+PX8P3SGqbBmNu1c6E3
+0uVJSCcBscvSporgXdNi4+Oh8YpuuQAmocHbUJf+kK8Sc/Z7rTlMzCJwORvuoekM
+0HDC+bfhNgoBU/k6qclTxTEbxMByDX354go/fz8RB/VKzaLuT8UcMp5rvgIYBJTs
+kT6K2NchfXIMo8Zmq2iq3QfabtuXgsJtUjYRFHasrFSvrzoqzXpoaTE1XCFgobE=
+=BTx+
+-----END PGP SIGNATURE-----
Modified: websites/production/camel/content/security-advisories.html
==============================================================================
--- websites/production/camel/content/security-advisories.html (original)
+++ websites/production/camel/content/security-advisories.html Thu Mar 16 09:19:41 2017
@@ -75,7 +75,7 @@
<tbody>
<tr>
<td valign="top" width="100%">
-<div class="wiki-content maincontent"><h3 id="SecurityAdvisories-2017">2017</h3><ul><li><a shape="rect" href="security-advisories.data/CVE-2017-3159.txt.asc?version=1&modificationDate=1486565167000&api=v2" data-linked-resource-id="67641933" data-linked-resource-version="1" data-linked-resource-type="attachment" data-linked-resource-default-alias="CVE-2017-3159.txt.asc" data-linked-resource-content-type="application/pgp-encrypted" data-linked-resource-container-id="34833933" data-linked-resource-container-version="13">CVE-2017-3159</a> - Apache Camel's Snakeyaml unmarshalling operation is vulnerable to Remote Code Execution attacks</li></ul><h3 id="SecurityAdvisories-2016">2016</h3><ul><li><a shape="rect" href="security-advisories.data/CVE-2016-8749.txt.asc?version=2&modificationDate=1486565034000&api=v2" data-linked-resource-id="67641927" data-linked-resource-version="2" data-linked-resource-type="attachment" data-linked-resource-default-alias="CVE-2016-874
9.txt.asc" data-linked-resource-content-type="application/pgp-encrypted" data-linked-resource-container-id="34833933" data-linked-resource-container-version="13">CVE-2016-8749</a> - Apache Camel's Jackson and JacksonXML unmarshalling operation are vulnerable to Remote Code Execution attacks</li></ul><h3 id="SecurityAdvisories-2015">2015</h3><ul><li><a shape="rect" href="security-advisories.data/CVE-2015-5344.txt.asc?version=1&modificationDate=1454056803000&api=v2" data-linked-resource-id="61338184" data-linked-resource-version="1" data-linked-resource-type="attachment" data-linked-resource-default-alias="CVE-2015-5344.txt.asc" data-nice-type="Text File" data-linked-resource-content-type="text/plain" data-linked-resource-container-id="34833933" data-linked-resource-container-version="13">CVE-2015-5344</a> - Apache Camel's XStream usage is vulnerable to Remote Code Execution attacks.</li><li><a shape="rect" href="security-advisories.data/CVE-2015-5348.
txt.asc?version=1&modificationDate=1450340845000&api=v2" data-linked-resource-id="61333112" data-linked-resource-version="1" data-linked-resource-type="attachment" data-linked-resource-default-alias="CVE-2015-5348.txt.asc" data-nice-type="Text File" data-linked-resource-content-type="text/plain" data-linked-resource-container-id="34833933" data-linked-resource-container-version="13">CVE-2015-5348</a> - Apache Camel's Jetty/Servlet usage is vulnerable to Java object de-serialisation vulnerability.</li><li><a shape="rect" href="security-advisories.data/CVE-2015-0264.txt.asc?version=1&modificationDate=1426539191000&api=v2" data-linked-resource-id="54165590" data-linked-resource-version="1" data-linked-resource-type="attachment" data-linked-resource-default-alias="CVE-2015-0264.txt.asc" data-nice-type="Text File" data-linked-resource-content-type="text/plain" data-linked-resource-container-id="34833933" data-linked-resource-container-version="13">CVE-2015-0264</a> - The
XPath handling in Apache Camel for invalid XML Strings or invalid XML GenericFile objects allows remote attackers to read arbitrary files via an XML External Entity (XXE) declaration. The XML External Entity (XXE) will be resolved before the Exception is thrown.</li><li><a shape="rect" href="security-advisories.data/CVE-2015-0263.txt.asc?version=1&modificationDate=1426539178000&api=v2" data-linked-resource-id="54165589" data-linked-resource-version="1" data-linked-resource-type="attachment" data-linked-resource-default-alias="CVE-2015-0263.txt.asc" data-nice-type="Text File" data-linked-resource-content-type="text/plain" data-linked-resource-container-id="34833933" data-linked-resource-container-version="13">CVE-2015-0263</a> - The XML converter setup in Apache Camel allows remote attackers to read arbitrary files via an SAXSource containing an XML External Entity (XXE) declaration.</li></ul><h3 id="SecurityAdvisories-2014">2014</h3><ul><li><a shape="rect" href="security-adv
isories.data/CVE-2014-0003.txt.asc?version=1&modificationDate=1393615582000&api=v2" data-linked-resource-id="40009835" data-linked-resource-version="1" data-linked-resource-type="attachment" data-linked-resource-default-alias="CVE-2014-0003.txt.asc" data-nice-type="Text File" data-linked-resource-content-type="text/plain" data-linked-resource-container-id="34833933" data-linked-resource-container-version="13">CVE-2014-0003</a> - The Apache Camel XSLT component allows XSL stylesheets to perform calls to external Java methods.</li><li><a shape="rect" href="security-advisories.data/CVE-2014-0002.txt.asc?version=1&modificationDate=1393615569000&api=v2" data-linked-resource-id="40009834" data-linked-resource-version="1" data-linked-resource-type="attachment" data-linked-resource-default-alias="CVE-2014-0002.txt.asc" data-nice-type="Text File" data-linked-resource-content-type="text/plain" data-linked-resource-container-id="34833933" data-linked-resource-container-version=
"13">CVE-2014-0002</a> - The Apache Camel XSLT component will resolve entities in XML messages when transforming them using an xslt route.</li></ul><h3 id="SecurityAdvisories-2013">2013</h3><ul><li><a shape="rect" href="security-advisories.data/CVE-2013-4330.txt.asc?version=1&modificationDate=1380633919000&api=v2" data-linked-resource-id="35192841" data-linked-resource-version="1" data-linked-resource-type="attachment" data-linked-resource-default-alias="CVE-2013-4330.txt.asc" data-nice-type="Text File" data-linked-resource-content-type="text/plain" data-linked-resource-container-id="34833933" data-linked-resource-container-version="13">CVE-2013-4330</a> - Writing files using FILE or FTP components, can potentially be exploited by a malicious user.</li></ul><p> </p></div>
+<div class="wiki-content maincontent"><h3 id="SecurityAdvisories-2017">2017</h3><ul><li><a shape="rect" href="security-advisories.data/CVE-2017-5643.txt.asc?version=1&modificationDate=1489652454000&api=v2" data-linked-resource-id="68719271" data-linked-resource-version="1" data-linked-resource-type="attachment" data-linked-resource-default-alias="CVE-2017-5643.txt.asc" data-linked-resource-content-type="application/pgp-encrypted" data-linked-resource-container-id="34833933" data-linked-resource-container-version="14">CVE-2017-5643</a> - Apache Camel's Validation Component is vulnerable against SSRF via remote DTDs and XXE</li><li><a shape="rect" href="security-advisories.data/CVE-2017-3159.txt.asc?version=1&modificationDate=1486565167000&api=v2" data-linked-resource-id="67641933" data-linked-resource-version="1" data-linked-resource-type="attachment" data-linked-resource-default-alias="CVE-2017-3159.txt.asc" data-linked-resource-content-type="application/pg
p-encrypted" data-linked-resource-container-id="34833933" data-linked-resource-container-version="14">CVE-2017-3159</a> - Apache Camel's Snakeyaml unmarshalling operation is vulnerable to Remote Code Execution attacks</li></ul><h3 id="SecurityAdvisories-2016">2016</h3><ul><li><a shape="rect" href="security-advisories.data/CVE-2016-8749.txt.asc?version=2&modificationDate=1486565034000&api=v2" data-linked-resource-id="67641927" data-linked-resource-version="2" data-linked-resource-type="attachment" data-linked-resource-default-alias="CVE-2016-8749.txt.asc" data-linked-resource-content-type="application/pgp-encrypted" data-linked-resource-container-id="34833933" data-linked-resource-container-version="14">CVE-2016-8749</a> - Apache Camel's Jackson and JacksonXML unmarshalling operation are vulnerable to Remote Code Execution attacks</li></ul><h3 id="SecurityAdvisories-2015">2015</h3><ul><li><a shape="rect" href="security-advisories.data/CVE-2015-5344.txt.asc
?version=1&modificationDate=1454056803000&api=v2" data-linked-resource-id="61338184" data-linked-resource-version="1" data-linked-resource-type="attachment" data-linked-resource-default-alias="CVE-2015-5344.txt.asc" data-nice-type="Text File" data-linked-resource-content-type="text/plain" data-linked-resource-container-id="34833933" data-linked-resource-container-version="14">CVE-2015-5344</a> - Apache Camel's XStream usage is vulnerable to Remote Code Execution attacks.</li><li><a shape="rect" href="security-advisories.data/CVE-2015-5348.txt.asc?version=1&modificationDate=1450340845000&api=v2" data-linked-resource-id="61333112" data-linked-resource-version="1" data-linked-resource-type="attachment" data-linked-resource-default-alias="CVE-2015-5348.txt.asc" data-nice-type="Text File" data-linked-resource-content-type="text/plain" data-linked-resource-container-id="34833933" data-linked-resource-container-version="14">CVE-2015-5348</a> - Apache Camel's
Jetty/Servlet usage is vulnerable to Java object de-serialisation vulnerability.</li><li><a shape="rect" href="security-advisories.data/CVE-2015-0264.txt.asc?version=1&modificationDate=1426539191000&api=v2" data-linked-resource-id="54165590" data-linked-resource-version="1" data-linked-resource-type="attachment" data-linked-resource-default-alias="CVE-2015-0264.txt.asc" data-nice-type="Text File" data-linked-resource-content-type="text/plain" data-linked-resource-container-id="34833933" data-linked-resource-container-version="14">CVE-2015-0264</a> - The XPath handling in Apache Camel for invalid XML Strings or invalid XML GenericFile objects allows remote attackers to read arbitrary files via an XML External Entity (XXE) declaration. The XML External Entity (XXE) will be resolved before the Exception is thrown.</li><li><a shape="rect" href="security-advisories.data/CVE-2015-0263.txt.asc?version=1&modificationDate=1426539178000&api=v2" data-linked-resource-id="5416558
9" data-linked-resource-version="1" data-linked-resource-type="attachment" data-linked-resource-default-alias="CVE-2015-0263.txt.asc" data-nice-type="Text File" data-linked-resource-content-type="text/plain" data-linked-resource-container-id="34833933" data-linked-resource-container-version="14">CVE-2015-0263</a> - The XML converter setup in Apache Camel allows remote attackers to read arbitrary files via an SAXSource containing an XML External Entity (XXE) declaration.</li></ul><h3 id="SecurityAdvisories-2014">2014</h3><ul><li><a shape="rect" href="security-advisories.data/CVE-2014-0003.txt.asc?version=1&modificationDate=1393615582000&api=v2" data-linked-resource-id="40009835" data-linked-resource-version="1" data-linked-resource-type="attachment" data-linked-resource-default-alias="CVE-2014-0003.txt.asc" data-nice-type="Text File" data-linked-resource-content-type="text/plain" data-linked-resource-container-id="34833933" data-linked-resource-container-version="14">CVE-2014
-0003</a> - The Apache Camel XSLT component allows XSL stylesheets to perform calls to external Java methods.</li><li><a shape="rect" href="security-advisories.data/CVE-2014-0002.txt.asc?version=1&modificationDate=1393615569000&api=v2" data-linked-resource-id="40009834" data-linked-resource-version="1" data-linked-resource-type="attachment" data-linked-resource-default-alias="CVE-2014-0002.txt.asc" data-nice-type="Text File" data-linked-resource-content-type="text/plain" data-linked-resource-container-id="34833933" data-linked-resource-container-version="14">CVE-2014-0002</a> - The Apache Camel XSLT component will resolve entities in XML messages when transforming them using an xslt route.</li></ul><h3 id="SecurityAdvisories-2013">2013</h3><ul><li><a shape="rect" href="security-advisories.data/CVE-2013-4330.txt.asc?version=1&modificationDate=1380633919000&api=v2" data-linked-resource-id="35192841" data-linked-resource-version="1" data-linked-resource-type="attachment
" data-linked-resource-default-alias="CVE-2013-4330.txt.asc" data-nice-type="Text File" data-linked-resource-content-type="text/plain" data-linked-resource-container-id="34833933" data-linked-resource-container-version="14">CVE-2013-4330</a> - Writing files using FILE or FTP components, can potentially be exploited by a malicious user.</li></ul><p> </p></div>
</td>
<td valign="top">
<div class="navigation">