camel-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christian Müller <christian.muel...@gmail.com>
Subject Re: CVE-2013-4330: Apache Camel critical disclosure vulnerability
Date Mon, 30 Sep 2013 10:51:56 GMT
It's a bit long...

What's with:
CVE-2013-4330 - The FILE and FTP producer interprets the header
'CamelFileName' as simple language expression if it matches '$simple{...}'.

Best,
Christian
-----------------

Software Integration Specialist

Apache Camel committer: https://camel.apache.org/team
V.P. Apache Camel: https://www.apache.org/foundation/
Apache Member: https://www.apache.org/foundation/members.html

https://www.linkedin.com/pub/christian-mueller/11/551/642


On Mon, Sep 30, 2013 at 12:31 PM, Claus Ibsen <claus.ibsen@gmail.com> wrote:

> I would suggest to update the title on the page
> http://camel.apache.org/security-advisories.html
>
> From:
> CVE-2013-4330 - Apache Camel critical disclosure vulnerability
>
> To:
> CVE-2013-4330 - When sending an Exchange with the in Message Header
> 'CamelFileName' with a value of '$simple{...}' to a FILE or FTP
> producer, it will interpret the value as simple language expression
> which can be exploited by a malicious user.
>
> Or something better to say what the issue is about.
>
> On Mon, Sep 30, 2013 at 12:24 PM, Christian Müller
> <christian.mueller@gmail.com> wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > CVE-2013-4330: Apache Camel critical disclosure vulnerability
> >
> > Severity: Critical
> >
> > Vendor: The Apache Software Foundation
> >
> > Versions Affected: Camel 2.9.0 to 2.9.7, Camel 2.10.0 to 2.10.6, Camel
> > 2.11.0 to 2.11.1, Camel 2.12.0
> > The unsupported Camel 2.3.x, 2.4.x, 2.5.x, 2.6.x, 2.7.x and 2.8.x
> versions
> > may be also affected.
> >
> > Description: When sending an Exchange with the in Message Header
> > 'CamelFileName' with a value of '$simple{...}' to a FILE or FTP producer,
> > it will interpret the value as simple language expression which can be
> > exploited by a malicious user.
> >
> > Mitigation: 2.9.x users should upgrade to 2.9.8, 2.10.x users should
> > upgrade to 2.10.7, 2.11.x users should upgrade to 2.11.2 and 2.12.0 users
> > should upgrade to 2.12.1. This patch will be included from Camel 2.13.0:
> >
> https://git-wip-us.apache.org/repos/asf?p=camel.git;a=commitdiff;h=27a9752a565fbef436bac4fcf22d339e3295b2a0
> >
> > Example: Create a simple route which moves files from one directory to
> > another, e.g.:
> > from("file:c:/tmp/in")
> >   .to("file:/c:/tmp/out");
> >
> > If you are using Windows, create an file with the name
> >
> "$simple{camelContext.getClassResolver.resolveClass('java.lang.Runtime').getDeclaredMethods()[5].invoke(null,null).exec('calc.exe')}"
> > (without the quotes)
> > and drop it into the "c:/tmp/in" directory. The file consumer will read
> and
> > process this file. It will also set the Exchange in Message Header
> > 'CamelFileName' with the value
> >
> "$simple{camelContext.getClassResolver.resolveClass('java.lang.Runtime').getDeclaredMethods()[5].invoke(null,null).exec('calc.exe')}".
> > In the next step, the file producer will interpreted the value of this
> > header as simple language expression and in this case, the Windows
> > calculator application will be started.
> >
> > Credit: This issue was discovered by Grégory Draperi.
> >
> > References: http://camel.apache.org/security-advisories.html
> >
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG/MacGPG2 v2.0.18 (Darwin)
> > Comment: GPGTools - http://gpgtools.org
> >
> > iQIcBAEBAgAGBQJSSUxLAAoJEImh9lEqI5wsxY8P/2NUDc0uEbqMKCu+gp9n0yDz
> > +0JQebcQiIo/tuwmI6/HhQiF9asy3RZTQ4VCc6KelxWW7lB4Gmi9tq71bSfcf+uu
> > 3o3ewNNbh+/vDcDKowOQnZlsD+9xW4fD/VOJt2obCapbLvS1tbLxY4lLly/fCETt
> > DJPExaAhicJQSX0X+jNAAJus5B0JUnAy2QMBj2ZDBPieH82RqtqQ44JtZsd/lyjH
> > d+PRhI44CLramTBX2HQYQtl/RR/sbzGosvbtQV91JL0j26dDMYDeLtVo+GWpjtw6
> > QuKrHvinBF6KKGd2aHEHYPP7yi2nQxlFlvPpEkf/YROKMR+JzyerZmsn5ziylrA7
> > NYlDsQ1LRRJOMiHC9aEOk5Y1++QoQ65EWJfRc2QB320tmGlCGUtXCM/nydyj7rDX
> > UOnnN9K5BMyPdk9qfgMWrUXVZyG8KKOwIDA9fMc4y/3wybllzBOsxidkDx8WbZsk
> > MWmoqtp7EJBIUAm4EmLV1LOD2tBBmXlA0GsdirgXgeoSYb/3lI6HRdMIS0HU3Uu8
> > jG7huiMrUTOkZz7Cs5Pome9ZFWkmfCrTSrOI6zTvcEleuimb2SK2FrHtymQi4dFh
> > DY7s63z52Ic1i7yJKLP5geVDQAaZesftwCFQtVJXF0+0uwuXUvOsCScaxNdVJM/Z
> > seH3FliiPjZJoEHV0fP7
> > =CQKT
> > -----END PGP SIGNATURE-----
> >
> >
> > On behalf of the Camel PMC,
> > Christian Müller
> >
> > V.P. Apache Camel: https://www.apache.org/foundation/
>
>
>
> --
> Claus Ibsen
> -----------------
> Red Hat, Inc.
> Email: cibsen@redhat.com
> Twitter: davsclaus
> Blog: http://davsclaus.com
> Author of Camel in Action: http://www.manning.com/ibsen
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message