camel-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From acosent...@apache.org
Subject [camel] 02/14: Security Advisories: Porting to docs
Date Wed, 12 Sep 2018 11:47:34 GMT
This is an automated email from the ASF dual-hosted git repository.

acosentino pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/camel.git

commit a530bf117653574b9a1c9a5e373b37a0684f853b
Author: Andrea Cosentino <ancosen@gmail.com>
AuthorDate: Wed Sep 12 13:38:57 2018 +0200

    Security Advisories: Porting to docs
---
 .../en/security-advisories/CVE-2014-0002.txt.asc   | 46 ++++++++++++++++++++++
 1 file changed, 46 insertions(+)

diff --git a/docs/user-manual/en/security-advisories/CVE-2014-0002.txt.asc b/docs/user-manual/en/security-advisories/CVE-2014-0002.txt.asc
new file mode 100644
index 0000000..252af8d
--- /dev/null
+++ b/docs/user-manual/en/security-advisories/CVE-2014-0002.txt.asc
@@ -0,0 +1,46 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA1
+
+CVE-2014-0002: Apache Camel critical disclosure vulnerability
+
+Severity: Critical
+
+Vendor: The Apache Software Foundation
+
+Versions Affected: Camel 2.11.0 to 2.11.3, Camel 2.12.0 to 2.12.2
+The unsupported Camel 2.3.x, 2.4.x, 2.5.x, 2.6.x, 2.7.x, 2.8.x, 2.9.x and 2.10.x versions
may be also affected.
+
+Description: The Apache Camel XSLT component will resolve entities in XML messages when transforming
them using an xslt route. A remote attacker able to submit messages to an xslt route could
use this flaw to read files accessible to the running application server and potentially perform
other more advanced XXE attacks.
+
+Mitigation: 2.11.x users should upgrade to 2.11.4, 2.12.x users should upgrade to 2.12.3.
This patch will be included from Camel 2.13.0: https://git-wip-us.apache.org/repos/asf?p=camel.git;a=commitdiff;h=341d4e6cca71c53c90962d1c3d45fc9e05cc50c6
+
+Example: Create a simple route which receives an HTTP request, apply a (safe) stylesheet
and store the result in a file:
+<route>
+  <from uri="servlet:///hello"/>
+  <to uri="xslt:file:/tmp/transform.xsl" />
+  <to uri="file:/tmp/output" />
+</route>
+
+If an attacker is able to submit a message to this route, they can provide a message that
is an XML document containing external entities. These entities will be resolved, and their
contents included in the output of the transformation performed by the xslt route.
+
+Credit: This issue was discovered by David Jorm.
+
+References: http://camel.apache.org/security-advisories.html
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
+Comment: GPGTools - http://gpgtools.org
+
+iQIcBAEBAgAGBQJTENZhAAoJEImh9lEqI5wsukkP/2q4Tr9N2NMWYu9+5YYrpSST
+TWnhcE7QGVOu3ITRp0WslzzJoa6Dl1q1XB7NRiV9CrHrUAk/GMaMo0M51ezaYUOq
++8HfiHpVbU+frk67bbTCceSug1xLsCb1upD0LUvM28siimMme2lmZtZuzKwYws2o
+dG3gqIIgBYxl6Z6tKb7BIqQobsiK/50q5iZ1Z7PLT1hNrJvnBh0N6wgqfSPM0CLj
+1NBN1xLJufcooT5pMYSXq8UAKvp9x7CymUTk/b/xbTGE5e8T/XNKAuXoe1/XRfMO
+mETrN11hQdrEtflK9uOwHhDOu2SvsBBjBmDGY90K/Da1d1Hjued2Uaz3qGf4nQ9F
+SVVLKfB4Z6VZkNqyjZ8JZjdJGWtrLMeixUxoGLKp8S2SXHG9HTfxh0a9GD7g3vfj
+hO10B3qJKeWcVnBru4tRy/lmPfmCw28gizR4KEej4YFiPDFp60Z2Rxxsz5dHyOq6
+fUkOcCsMmLUoj1i3YoIcFDos8ZPl6Zuu1xkmOxq+hslixaT9ROUwfuIkV8lRofgT
+c1A2Ao5FZu0UK7uR81TNflbTCy+4q7Wojfs6LMydU9VjcGkCl+ES2q9mtv3BE6rN
+r69g5lba6ooyZEqPNvDGwTznQVUiHM5roaEooDYnTSU4FhT56isTANqaGncIXCnZ
+t3sXFGy7PXvfxxpeKHTb
+=VJ0D
+-----END PGP SIGNATURE-----


Mime
View raw message