First published: Thu May 14 2020(Updated: )
Apache Camel's JMX is vulnerable to Rebind Flaw. Apache Camel 2.22.x, 2.23.x, 2.24.x, 2.25.x, 3.0.0 up to 3.1.0 is affected. Users should upgrade to 3.2.0.
Credit: security@apache.org
Affected Software | Affected Version | How to fix |
---|---|---|
Apache Camel | >=2.22.0<=3.1.0 | |
Oracle Communications Diameter Intelligence Hub | >=8.0.0<=8.1.0 | |
Oracle Communications Diameter Intelligence Hub | >=8.2.0<=8.2.3 | |
Oracle Communications Diameter Signaling Router | >=8.0.0<=8.2.2 | |
Oracle Enterprise Manager Base Platform | =13.3.0.0 | |
Oracle Enterprise Manager Base Platform | =13.4.0.0 | |
Oracle FLEXCUBE Private Banking | =12.0.0 | |
Oracle FLEXCUBE Private Banking | =12.1.0 |
The JMX instrumentation agent is the vulnerable component in this, if not being used it can be disabled in the following ways * As a Java system property - `-Dorg.apache.camel.jmx.disabled=true` as java system property * Using the CamelContext method - ```java CamelContext camel = new DefaultCamelContext(); camel.disableJMX(); ``` * If using spring altering the spring configuration - ```xml <camelContext id="camel" xmlns="http://camel.apache.org/schema/spring"> <jmxAgent id="agent" disabled="true"/> ... </camelContext> ```
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2020-11971 is a vulnerability in Apache Camel's JMX that allows for a rebind flaw.
Apache Camel versions 2.22.x, 2.23.x, 2.24.x, 2.25.x, and 3.0.0 up to 3.1.0 are affected by CVE-2020-11971.
CVE-2020-11971 has a severity rating of 7.5 (high).
To fix CVE-2020-11971, users should upgrade to Apache Camel version 3.2.0.
You can find more information about CVE-2020-11971 on the CVE website (https://www.cve.org/CVERecord?id=CVE-2020-11971) and the NVD website (https://nvd.nist.gov/vuln/detail/CVE-2020-11971).