CVE-2024-22369: Apache Camel: Camel-SQL: Unsafe Deserialization from JDBCAggregationRepository
First published: Mon Feb 19 2024(Updated: )
Deserialization of Untrusted Data vulnerability in Apache Camel SQL Component. This issue affects Apache Camel: from 3.0.0 before 3.21.4, from 3.22.0 before 3.22.1, from 4.0.0 before 4.0.4, from 4.1.0 before 4.4.0. Users are recommended to upgrade to version 4.4.0, which fixes the issue. If users are on the 4.0.x LTS releases stream, then they are suggested to upgrade to 4.0.4. If users are on 3.x, they are suggested to move to 3.21.4 or 3.22.1
Credit: security@apache.org security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| maven/org.apache.camel:camel-sql | >=4.1.0<4.4.0 | 4.4.0 |
| maven/org.apache.camel:camel-sql | >=4.0.0<4.0.4 | 4.0.4 |
| maven/org.apache.camel:camel-sql | >=3.22.0<3.22.1 | 3.22.1 |
| maven/org.apache.camel:camel-sql | >=3.0.0<3.21.4 | 3.21.4 |
| Red Hat Build of Apache Camel | >=3.0.0<3.21.4 | |
| Red Hat Build of Apache Camel | >=4.0.0<4.0.4 | |
| Red Hat Build of Apache Camel | >=4.1.0<4.4.0 | |
| Red Hat Build of Apache Camel | =3.22.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://lists.apache.org/thread/3dko781dy2gy5l3fs48p56fgp429yb0f
- https://nvd.nist.gov/vuln/detail/CVE-2024-22369
- https://github.com/apache/camel/pull/12706
- https://github.com/apache/camel/pull/12707
- https://github.com/apache/camel/pull/12708
- https://github.com/apache/camel/pull/12709
- https://github.com/apache/camel/pull/12716
- https://github.com/apache/camel/pull/12717
- https://github.com/apache/camel/pull/12718
- https://github.com/apache/camel/pull/12719
- https://github.com/apache/camel/pull/12789
- https://github.com/oscerd/CVE-2024-22369
- https://issues.apache.org/jira/browse/CAMEL-20303
- https://github.com/advisories/GHSA-36xr-4x2f-cfj9 (Advisory)
Frequently Asked Questions
What is the severity of CVE-2024-22369?
CVE-2024-22369 is classified as a high severity vulnerability due to its potential for deserialization of untrusted data in Apache Camel's SQL component.
How do I fix CVE-2024-22369?
To remediate CVE-2024-22369, upgrade Apache Camel SQL component to version 4.4.0, 4.0.4, or 3.22.1, depending on your current version.
Which versions are affected by CVE-2024-22369?
CVE-2024-22369 affects Apache Camel versions from 3.0.0 before 3.21.4, from 3.22.0 before 3.22.1, from 4.0.0 before 4.0.4, and from 4.1.0 before 4.4.0.
Is CVE-2024-22369 specific to Apache Camel?
Yes, CVE-2024-22369 specifically affects the SQL component of Apache Camel.
What should I do if I cannot upgrade to patched versions for CVE-2024-22369?
If unable to upgrade, consider applying security best practices, such as input validation and limiting exposure to affected components.
- collector/oss-sec
- source/oss-sec
- alias/CVE-2024-22369
- agent/title
- agent/first-publish-date
- agent/weakness
- agent/type
- agent/softwarecombine
- agent/description
- collector/epss-latest
- source/FIRST
- agent/epss
- agent/references
- agent/author
- collector/mitre-cve
- source/MITRE
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-36xr-4x2f-cfj9
- agent/software-canonical-lookup
- agent/severity
- agent/last-modified-date
- collector/nvd-cve
- source/NVD
- agent/event
- collector/github-advisory
- agent/trending
- agent/source
- agent/tags
- collector/nvd-api
- package-manager/maven
- vendor/apache
- canonical/red hat build of apache camel
- version/red hat build of apache camel/3.0.0
- version/red hat build of apache camel/4.0.0
- version/red hat build of apache camel/4.1.0
- version/red hat build of apache camel/3.22.0