CVE-2017-12634
First published: Wed Nov 15 2017(Updated: )
Apache Camel's camel-castor component is vulnerable to Java object de-serialisation vulnerability. De-serializing untrusted data can lead to security flaws. Versions Affected: Camel 2.19.0 to 2.19.3 and Camel 2.20.0 The unsupported Camel 2.x (2.18 and earlier) versions may be also affected. References: <a href="https://camel.apache.org/security-advisories.data/CVE-2017-12634.txt.asc">https://camel.apache.org/security-advisories.data/CVE-2017-12634.txt.asc</a> <a href="https://issues.apache.org/jira/browse/CAMEL-11929">https://issues.apache.org/jira/browse/CAMEL-11929</a>
Credit: security@apache.org security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Apache Camel | >=2.0.0<2.19.4 | |
| Apache Camel | =2.20.0 | |
| maven/org.apache.camel:camel-castor | =2.20.0 | 2.20.1 |
| maven/org.apache.camel:camel-castor | >=2.0.0<2.19.4 | 2.19.4 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://nvd.nist.gov/vuln/detail/CVE-2017-12634
- https://access.redhat.com/errata/RHSA-2018:0319
- https://github.com/advisories/GHSA-vf4q-8mr7-5c5c (Advisory)
- https://issues.apache.org/jira/browse/CAMEL-11929
- https://lists.apache.org/thread.html/2318d7f7d87724d8716cd650c21b31cb06e4d34f6d0f5ee42f28fdaf@%3Ccommits.camel.apache.org%3E
- https://lists.apache.org/thread.html/b4014ea7c5830ca1fc28edd5cafedfe93ad4af2d9e69c961c5def31d@%3Ccommits.camel.apache.org%3E
- http://camel.apache.org/security-advisories.data/CVE-2017-12634.txt.asc
- http://www.securityfocus.com/bid/101876
- https://github.com/apache/camel/commit/2ae645e90edff3bcc1b958cb53ddc5e60a7f49fd
- https://github.com/apache/camel/commit/573ebd3de810cc7e239f175e1d2d6993f1f2ad08
- https://github.com/apache/camel/commit/ad3c1ce9d8300c339cfa7d0f4a4dea691a947988
- https://github.com/apache/camel/commit/adc06a78f04c8d798709a5818104abe5a8ae4b38
- https://github.com/apache/camel/commit/bdff8f3f3583e4f14cdaf24f2037e0fbef252630
- https://github.com/apache/camel/commit/c613905e95a3dab87158d9526aea9439f2de9621
- https://lists.apache.org/thread.html/2318d7f7d87724d8716cd650c21b31cb06e4d34f6d0f5ee42f28fdaf%40%3Ccommits.camel.apache.org%3E
- https://lists.apache.org/thread.html/b4014ea7c5830ca1fc28edd5cafedfe93ad4af2d9e69c961c5def31d%40%3Ccommits.camel.apache.org%3E
Frequently Asked Questions
What is CVE-2017-12634?
CVE-2017-12634 is a vulnerability in the camel-castor component in Apache Camel 2.x before 2.19.4 and 2.20.x before 2.20.1 that can be exploited through Java object deserialization.
How does CVE-2017-12634 affect Apache Camel?
CVE-2017-12634 affects Apache Camel versions 2.x before 2.19.4 and 2.20.x before 2.20.1, specifically the camel-castor component.
What is the severity of CVE-2017-12634?
CVE-2017-12634 has a severity of 9.8 (Critical).
How can CVE-2017-12634 be fixed?
To fix CVE-2017-12634, upgrade to Apache Camel version 2.19.4 or newer for the 2.x line, or version 2.20.1 or newer for the 2.20.x line.
Where can I find more information about CVE-2017-12634?
You can find more information about CVE-2017-12634 in the official security advisories from Apache Camel, as well as in the related JIRA and Red Hat Bugzilla reports.
- collector/nvd-index
- collector/github-advisory-latest
- alias/GHSA-vf4q-8mr7-5c5c
- alias/CVE-2017-12634
- collector/nvd-cve
- collector/github-advisory
- agent/author
- agent/type
- agent/last-modified-date
- agent/first-publish-date
- agent/references
- agent/softwarecombine
- agent/severity
- agent/weakness
- agent/description
- collector/redhat-bugzilla
- source/Red Hat
- agent/software-canonical-lookup
- agent/tags
- agent/event
- collector/mitre-cve
- source/MITRE
- vendor/apache
- canonical/apache camel
- version/apache camel/2.0.0
- version/apache camel/2.20.0
- package-manager/maven
- package-manager/redhat