CVE-2020-11973
First published: Thu May 14 2020(Updated: )
A flaw was found in camel. Apache Camel RabbitMQ enables java deserialization, by default, without any means of disabling which can lead to arbitrary code being executed. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Credit: security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/camel | <3.2.0 | 3.2.0 |
| redhat/camel | <2.25.1 | 2.25.1 |
| Apache Camel | >=2.22.0<=2.25.0 | |
| Apache Camel | >=3.0.0<=3.1.0 | |
| Oracle Communications Diameter Signaling Router | >=8.0.0<=8.5.0 | |
| Oracle Enterprise Manager Base Platform | =13.3.0.0 | |
| Oracle Enterprise Manager Base Platform | =13.4.0.0 | |
| Oracle FLEXCUBE Private Banking | =12.0.0 | |
| Oracle FLEXCUBE Private Banking | =12.1.0 |
Remedy
Red Hat JBoss Fuse 6 & Red Hat Fuse 7 customers should use `camel-netty4` instead
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.openwall.com/lists/oss-security/2020/05/14/9
- https://camel.apache.org/security/CVE-2020-11973.html
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://access.redhat.com/support/policy/updates/jboss_notes
- https://access.redhat.com/errata/RHSA-2020:5568
- https://access.redhat.com/security/cve/cve-2020-11973
- https://bugzilla.redhat.com/show_bug.cgi?id=1848465
- https://www.cve.org/CVERecord?id=CVE-2020-11973 https://nvd.nist.gov/vuln/detail/CVE-2020-11973
Frequently Asked Questions
What is CVE-2020-11973?
CVE-2020-11973 is a vulnerability in Apache Camel that allows arbitrary code execution through Java deserialization.
What is the severity of CVE-2020-11973?
The severity of CVE-2020-11973 is critical, with a severity value of 9.8.
How does CVE-2020-11973 affect data confidentiality and integrity?
CVE-2020-11973 can lead to a compromise of data confidentiality and integrity.
Which versions of Apache Camel are affected by CVE-2020-11973?
Versions 2.22.x, 2.23.x, 2.24.x, and 2.25.0 of Apache Camel are affected by CVE-2020-11973.
How can I fix CVE-2020-11973?
To fix CVE-2020-11973, upgrade to Apache Camel version 3.2.0 or higher.
- collector/redhat-cve
- collector/nvd-index
- agent/type
- agent/softwarecombine
- agent/first-publish-date
- agent/last-modified-date
- agent/author
- agent/severity
- agent/references
- agent/remedy
- agent/weakness
- agent/description
- agent/event
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2020-11973
- agent/software-canonical-lookup
- agent/tags
- collector/mitre-cve
- source/MITRE
- vendor/apache
- canonical/apache camel
- version/apache camel/2.22.0
- version/apache camel/2.25.0
- version/apache camel/3.0.0
- version/apache camel/3.1.0
- vendor/oracle
- canonical/oracle communications diameter signaling router
- version/oracle communications diameter signaling router/8.0.0
- version/oracle communications diameter signaling router/8.5.0
- canonical/oracle enterprise manager base platform
- version/oracle enterprise manager base platform/13.3.0.0
- version/oracle enterprise manager base platform/13.4.0.0
- canonical/oracle flexcube private banking
- version/oracle flexcube private banking/12.0.0
- version/oracle flexcube private banking/12.1.0
- package-manager/redhat