CVE-2020-11971: Input Validation
First published: Thu May 14 2020(Updated: )
Apache Camel's JMX is vulnerable to Rebind Flaw. Apache Camel 2.22.x, 2.23.x, 2.24.x, 2.25.x, 3.0.0 up to 3.1.0 is affected. Users should upgrade to 3.2.0.
Credit: security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Apache Camel | >=2.22.0<=3.1.0 | |
| Oracle Communications Diameter Intelligence Hub | >=8.0.0<=8.1.0 | |
| Oracle Communications Diameter Intelligence Hub | >=8.2.0<=8.2.3 | |
| Oracle Communications Diameter Signaling Router | >=8.0.0<=8.2.2 | |
| Oracle Enterprise Manager Base Platform | =13.3.0.0 | |
| Oracle Enterprise Manager Base Platform | =13.4.0.0 | |
| Oracle FLEXCUBE Private Banking | =12.0.0 | |
| Oracle FLEXCUBE Private Banking | =12.1.0 |
Remedy
The JMX instrumentation agent is the vulnerable component in this, if not being used it can be disabled in the following ways * As a Java system property - `-Dorg.apache.camel.jmx.disabled=true` as java system property * Using the CamelContext method - ```java CamelContext camel = new DefaultCamelContext(); camel.disableJMX(); ``` * If using spring altering the spring configuration - ```xml <camelContext id="camel" xmlns="http://camel.apache.org/schema/spring"> <jmxAgent id="agent" disabled="true"/> ... </camelContext> ```
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2020-11971 https://nvd.nist.gov/vuln/detail/CVE-2020-11971
- https://bugzilla.redhat.com/show_bug.cgi?id=1848433
- https://access.redhat.com/errata/RHSA-2020:5568
- https://access.redhat.com/security/cve/cve-2020-11971
- http://www.openwall.com/lists/oss-security/2020/05/14/7
- https://camel.apache.org/security/CVE-2020-11971.html
- https://lists.apache.org/thread.html/r16f4f9019840bc923e25d1b029fb42fe2676c4ba36e54824749a8da9@%3Ccommits.camel.apache.org%3E
- https://lists.apache.org/thread.html/r3d0ae14ca224e69fb1c653f0a5d9e56370ee12d8896aa4490aeae14a@%3Ccommits.camel.apache.org%3E
- https://lists.apache.org/thread.html/r45da6abb42a9e6853ec8affdbf591f1db3e90c5288de9d3753124c79@%3Cissues.activemq.apache.org%3E
- https://lists.apache.org/thread.html/r52a5129df402352adc34d052bab9234c8ef63596306506a89fdc7328@%3Cusers.activemq.apache.org%3E
- https://lists.apache.org/thread.html/r7968b5086e861da2cf635a7b215e465ce9912d5f16c683b8e56819c4@%3Ccommits.camel.apache.org%3E
- https://lists.apache.org/thread.html/r8988311eb2481fd8a87e69cf17ffb8dc81bfeba5503021537f72db0a@%3Cissues.activemq.apache.org%3E
- https://lists.apache.org/thread.html/r938dc2ded68039ab747f6d7a12153862495d4b38107d3ed111994386@%3Cissues.activemq.apache.org%3E
- https://lists.apache.org/thread.html/r9dc2505651788ac668299774d9e7af4dc616be2f56fdc684d1170882@%3Cusers.activemq.apache.org%3E
- https://lists.apache.org/thread.html/rb0033c4e9dade1fdf22493314062364ff477e9a8b417f687dc168468@%3Cissues.activemq.apache.org%3E
- https://lists.apache.org/thread.html/rc907a3d385a9c62416d686608e7241c864be8ef2ac16a3bdb0e33649@%3Cissues.activemq.apache.org%3E
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://issues.apache.org/jira/browse/CAMEL-14811
- http://camel.apache.org/schema/spring
- https://lists.apache.org/thread.html/r7968b5086e861da2cf635a7b215e465ce9912d5f16c683b8e56819c4%40%3Ccommits.camel.apache.org%3E
- https://lists.apache.org/thread.html/r16f4f9019840bc923e25d1b029fb42fe2676c4ba36e54824749a8da9%40%3Ccommits.camel.apache.org%3E
- https://lists.apache.org/thread.html/r3d0ae14ca224e69fb1c653f0a5d9e56370ee12d8896aa4490aeae14a%40%3Ccommits.camel.apache.org%3E
- https://lists.apache.org/thread.html/r45da6abb42a9e6853ec8affdbf591f1db3e90c5288de9d3753124c79%40%3Cissues.activemq.apache.org%3E
- https://lists.apache.org/thread.html/rb0033c4e9dade1fdf22493314062364ff477e9a8b417f687dc168468%40%3Cissues.activemq.apache.org%3E
- https://lists.apache.org/thread.html/r8988311eb2481fd8a87e69cf17ffb8dc81bfeba5503021537f72db0a%40%3Cissues.activemq.apache.org%3E
- https://lists.apache.org/thread.html/r938dc2ded68039ab747f6d7a12153862495d4b38107d3ed111994386%40%3Cissues.activemq.apache.org%3E
- https://lists.apache.org/thread.html/rc907a3d385a9c62416d686608e7241c864be8ef2ac16a3bdb0e33649%40%3Cissues.activemq.apache.org%3E
- https://lists.apache.org/thread.html/r9dc2505651788ac668299774d9e7af4dc616be2f56fdc684d1170882%40%3Cusers.activemq.apache.org%3E
- https://lists.apache.org/thread.html/r52a5129df402352adc34d052bab9234c8ef63596306506a89fdc7328%40%3Cusers.activemq.apache.org%3E
Frequently Asked Questions
What is CVE-2020-11971?
CVE-2020-11971 is a vulnerability in Apache Camel's JMX that allows for a rebind flaw.
What versions of Apache Camel are affected by CVE-2020-11971?
Apache Camel versions 2.22.x, 2.23.x, 2.24.x, 2.25.x, and 3.0.0 up to 3.1.0 are affected by CVE-2020-11971.
How severe is CVE-2020-11971?
CVE-2020-11971 has a severity rating of 7.5 (high).
How can I fix CVE-2020-11971?
To fix CVE-2020-11971, users should upgrade to Apache Camel version 3.2.0.
Where can I find more information about CVE-2020-11971?
You can find more information about CVE-2020-11971 on the CVE website (https://www.cve.org/CVERecord?id=CVE-2020-11971) and the NVD website (https://nvd.nist.gov/vuln/detail/CVE-2020-11971).
- collector/redhat-cve
- collector/nvd-index
- agent/type
- agent/first-publish-date
- agent/last-modified-date
- agent/softwarecombine
- agent/remedy
- agent/weakness
- agent/references
- agent/severity
- agent/author
- agent/description
- agent/event
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2020-11971
- agent/software-canonical-lookup
- agent/tags
- collector/mitre-cve
- source/MITRE
- vendor/apache
- canonical/apache camel
- version/apache camel/2.22.0
- version/apache camel/3.1.0
- vendor/oracle
- canonical/oracle communications diameter intelligence hub
- version/oracle communications diameter intelligence hub/8.0.0
- version/oracle communications diameter intelligence hub/8.1.0
- version/oracle communications diameter intelligence hub/8.2.0
- version/oracle communications diameter intelligence hub/8.2.3
- canonical/oracle communications diameter signaling router
- version/oracle communications diameter signaling router/8.0.0
- version/oracle communications diameter signaling router/8.2.2
- canonical/oracle enterprise manager base platform
- version/oracle enterprise manager base platform/13.3.0.0
- version/oracle enterprise manager base platform/13.4.0.0
- canonical/oracle flexcube private banking
- version/oracle flexcube private banking/12.0.0
- version/oracle flexcube private banking/12.1.0
- package-manager/redhat