camel-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "David Jorm (JIRA)" <j...@apache.org>
Subject [jira] [Created] (CAMEL-7322) Routes using serialized data formats could expose security issues
Date Mon, 24 Mar 2014 04:39:42 GMT
David Jorm created CAMEL-7322:
---------------------------------

             Summary: Routes using serialized data formats could expose security issues
                 Key: CAMEL-7322
                 URL: https://issues.apache.org/jira/browse/CAMEL-7322
             Project: Camel
          Issue Type: New Feature
          Components: documentation
    Affects Versions: 2.13.0
            Reporter: David Jorm


Camel supports various serialized data formats. Camel routes using these data formats could
expose security issues if vulnerable classes are on the classpath. For example, CVE-2013-2186
describes a poison null byte flaw that existed in Apache Commons FileUpload:

http://svn.apache.org/viewvc?view=revision&revision=1507048

If an application was exposing Camel routes that used serialized data formats, and had a vulnerable
class such as Commons FileUpload on the classpath, it could be exploited, as an attacker would
be able to call the deserialization methods on that class.

Camel could address this by exposing a configuration mechanism for type-checking data prior
to deserialization, using a technique such as:

http://www.ibm.com/developerworks/java/library/se-lookahead/index.html

And then providing documentation warning users against deserializing arbitrary user-supplied
content. Alternatively, this could be conisidered a problem to be solved by applications exposing
Camel routes that use serialized data formats, and therefore be addressed entirely in documentation.
If the latter approach is taken, then I am happy to provide draft documentation content.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Mime
View raw message