CVE-2020-11973
First published: Thu May 14 2020(Updated: )
Apache Camel Netty enables Java deserialization by default. Apache Camel 2.22.x, 2.23.x, 2.24.x, 2.25.0, 3.0.0 up to 3.1.0 are affected. 2.x users should upgrade to 2.25.1, 3.x users should upgrade to 3.2.0.
Credit: security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/camel | <3.2.0 | 3.2.0 |
| redhat/camel | <2.25.1 | 2.25.1 |
| Apache Camel | >=2.22.0<=2.25.0 | |
| Apache Camel | >=3.0.0<=3.1.0 | |
| Oracle Communications Diameter Signaling Router | >=8.0.0<=8.5.0 | |
| Oracle Enterprise Manager Base Platform | =13.3.0.0 | |
| Oracle Enterprise Manager Base Platform | =13.4.0.0 | |
| Oracle FLEXCUBE Private Banking | =12.0.0 | |
| Oracle FLEXCUBE Private Banking | =12.1.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.openwall.com/lists/oss-security/2020/05/14/9
- https://camel.apache.org/security/CVE-2020-11973.html
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://access.redhat.com/support/policy/updates/jboss_notes
- https://access.redhat.com/errata/RHSA-2020:5568
- https://access.redhat.com/security/cve/cve-2020-11973
- https://bugzilla.redhat.com/show_bug.cgi?id=1848465
- https://www.cve.org/CVERecord?id=CVE-2020-11973 https://nvd.nist.gov/vuln/detail/CVE-2020-11973
Frequently Asked Questions
What is CVE-2020-11973?
CVE-2020-11973 is a vulnerability in Apache Camel that allows arbitrary code execution through Java deserialization.
What is the severity of CVE-2020-11973?
The severity of CVE-2020-11973 is critical, with a severity value of 9.8.
How does CVE-2020-11973 affect data confidentiality and integrity?
CVE-2020-11973 can lead to a compromise of data confidentiality and integrity.
Which versions of Apache Camel are affected by CVE-2020-11973?
Versions 2.22.x, 2.23.x, 2.24.x, and 2.25.0 of Apache Camel are affected by CVE-2020-11973.
How can I fix CVE-2020-11973?
To fix CVE-2020-11973, upgrade to Apache Camel version 3.2.0 or higher.
- agent/author
- agent/description
- agent/event
- agent/first-publish-date
- agent/last-modified-date
- agent/references
- agent/remedy
- agent/severity
- agent/softwarecombine
- agent/tags
- agent/type
- agent/weakness
- collector/nvd-index
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2020-11973
- agent/software-canonical-lookup
- collector/redhat-cve
- vendor/apache
- canonical/apache camel
- version/apache camel/2.22.0
- version/apache camel/2.25.0
- version/apache camel/3.0.0
- version/apache camel/3.1.0
- vendor/oracle
- canonical/oracle communications diameter signaling router
- version/oracle communications diameter signaling router/8.0.0
- version/oracle communications diameter signaling router/8.5.0
- canonical/oracle enterprise manager base platform
- version/oracle enterprise manager base platform/13.3.0.0
- version/oracle enterprise manager base platform/13.4.0.0
- canonical/oracle flexcube private banking
- version/oracle flexcube private banking/12.0.0
- version/oracle flexcube private banking/12.1.0
- package-manager/redhat