From 0176e36ca74687f4d6becc159fe0fc7bb99a92a8 Mon Sep 17 00:00:00 2001 From: Andrea Cosentino Date: Fri, 10 Jul 2026 10:11:56 +0200 Subject: [PATCH] [GHSA-8h6p-jvhf-9hcr] Deserialization of Untrusted Data vulnerability in Apache... Signed-off-by: Andrea Cosentino --- .../GHSA-8h6p-jvhf-9hcr.json | 694 +++++++++++++++++- 1 file changed, 692 insertions(+), 2 deletions(-) diff --git a/advisories/unreviewed/2026/07/GHSA-8h6p-jvhf-9hcr/GHSA-8h6p-jvhf-9hcr.json b/advisories/unreviewed/2026/07/GHSA-8h6p-jvhf-9hcr/GHSA-8h6p-jvhf-9hcr.json index 40d65ef7f1007..81b24bdffbba4 100644 --- a/advisories/unreviewed/2026/07/GHSA-8h6p-jvhf-9hcr/GHSA-8h6p-jvhf-9hcr.json +++ b/advisories/unreviewed/2026/07/GHSA-8h6p-jvhf-9hcr/GHSA-8h6p-jvhf-9hcr.json @@ -1,11 +1,12 @@ { "schema_version": "1.4.0", "id": "GHSA-8h6p-jvhf-9hcr", - "modified": "2026-07-06T21:30:35Z", + "modified": "2026-07-10T07:58:22Z", "published": "2026-07-06T09:30:28Z", "aliases": [ "CVE-2026-42527" ], + "summary": "Permissive default ObjectInputFilter pattern admits java.net.** and enables DNS-based information disclosure", "details": "Deserialization of Untrusted Data vulnerability in Apache Camel.\n\nThe default ObjectInputFilter pattern shipped with several Apache Camel components for defense-in-depth deserialization filtering ('java.**;javax.**;org.apache.camel.**;!*', or the no-'javax.**' variant in the aggregation-repository components) uses a recursive 'java.**' glob that admits classes whose hashCode/equals/readObject methods perform network I/O, notably java.net.URL and java.net.InetAddress. When an attacker can deliver a Java-serialized payload to an affected Camel consumer, deserialization of a HashMap (or any collection that calls hashCode on its elements) containing java.net.URL keys causes the JVM to issue DNS queries to the attacker-supplied host during the deserialization side-effect. The class-level filter check passes because the resulting object's class (HashMap) is allow-listed; the DNS query is observable on an attacker-controlled DNS server, providing an out-of-band side channel. The exposure is highest on the camel-jms family because JmsBinding.extractBodyFromJms invokes ObjectMessage.getObject() unconditionally when mapJmsMessage=true (default). Affected components: camel-jms, camel-sjms, camel-amqp, camel-mina, camel-netty, camel-netty-http, camel-vertx-http, camel-infinispan, and the aggregation repository components camel-leveldb, camel-cassandraql, camel-consul, camel-sql (JDBC aggregation repository).\nThis issue affects Apache Camel: from 4.14.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0.\n\nUsers are recommended to upgrade to a version that contains the CAMEL-23372 fix once available: 4.21.0 for the 4.21.x line, 4.18.3 for the 4.18.x line, and 4.14.8 for the 4.14.x line. For deployments that cannot upgrade immediately, configure a JMS-provider-side allow-list (Apache ActiveMQ Artemis 'deserializationAllowList' / 'deserializationDenyList', Apache ActiveMQ Classic 'org.apache.activemq.SERIALIZABLE_PACKAGES') as the primary mitigation, and/or override the in-code default via the endpoint-level 'deserializationFilter' option or the JVM-wide '-Djdk.serialFilter' system property with an explicit deny: '!java.net.**;java.**;javax.**;org.apache.camel.**;!*' (or '!java.net.**;java.**;org.apache.camel.**;!*' for the aggregation-repository components, which do not include javax.**).", "severity": [ { @@ -13,7 +14,692 @@ "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" } ], - "affected": [], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "org.apache.camel:camel-jms" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.14.0" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "< 4.14.8" + } + }, + { + "package": { + "ecosystem": "Maven", + "name": "org.apache.camel:camel-jms" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.18.0" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "< 4.18.3" + } + }, + { + "package": { + "ecosystem": "Maven", + "name": "org.apache.camel:camel-jms" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.20.0" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "< 4.21.0" + } + }, + { + "package": { + "ecosystem": "Maven", + "name": "org.apache.camel:camel-sjms" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.14.0" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "< 4.14.8" + } + }, + { + "package": { + "ecosystem": "Maven", + "name": "org.apache.camel:camel-sjms" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.18.0" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "< 4.18.3" + } + }, + { + "package": { + "ecosystem": "Maven", + "name": "org.apache.camel:camel-sjms" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.20.0" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "< 4.21.0" + } + }, + { + "package": { + "ecosystem": "Maven", + "name": "org.apache.camel:camel-amqp" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.14.0" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "< 4.14.8" + } + }, + { + "package": { + "ecosystem": "Maven", + "name": "org.apache.camel:camel-amqp" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.18.0" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "< 4.18.3" + } + }, + { + "package": { + "ecosystem": "Maven", + "name": "org.apache.camel:camel-amqp" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.20.0" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "< 4.21.0" + } + }, + { + "package": { + "ecosystem": "Maven", + "name": "org.apache.camel:camel-mina" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.14.0" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "< 4.14.8" + } + }, + { + "package": { + "ecosystem": "Maven", + "name": "org.apache.camel:camel-mina" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.18.0" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "< 4.18.3" + } + }, + { + "package": { + "ecosystem": "Maven", + "name": "org.apache.camel:camel-mina" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.20.0" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "< 4.21.0" + } + }, + { + "package": { + "ecosystem": "Maven", + "name": "org.apache.camel:camel-netty" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.14.0" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "< 4.14.8" + } + }, + { + "package": { + "ecosystem": "Maven", + "name": "org.apache.camel:camel-netty" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.18.0" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "< 4.18.3" + } + }, + { + "package": { + "ecosystem": "Maven", + "name": "org.apache.camel:camel-netty" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.20.0" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "< 4.21.0" + } + }, + { + "package": { + "ecosystem": "Maven", + "name": "org.apache.camel:camel-netty-http" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.14.0" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "< 4.14.8" + } + }, + { + "package": { + "ecosystem": "Maven", + "name": "org.apache.camel:camel-netty-http" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.18.0" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "< 4.18.3" + } + }, + { + "package": { + "ecosystem": "Maven", + "name": "org.apache.camel:camel-netty-http" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.20.0" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "< 4.21.0" + } + }, + { + "package": { + "ecosystem": "Maven", + "name": "org.apache.camel:camel-vertx-http" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.14.0" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "< 4.14.8" + } + }, + { + "package": { + "ecosystem": "Maven", + "name": "org.apache.camel:camel-vertx-http" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.18.0" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "< 4.18.3" + } + }, + { + "package": { + "ecosystem": "Maven", + "name": "org.apache.camel:camel-vertx-http" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.20.0" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "< 4.21.0" + } + }, + { + "package": { + "ecosystem": "Maven", + "name": "org.apache.camel:camel-infinispan" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.14.0" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "< 4.14.8" + } + }, + { + "package": { + "ecosystem": "Maven", + "name": "org.apache.camel:camel-infinispan" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.18.0" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "< 4.18.3" + } + }, + { + "package": { + "ecosystem": "Maven", + "name": "org.apache.camel:camel-infinispan" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.20.0" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "< 4.21.0" + } + }, + { + "package": { + "ecosystem": "Maven", + "name": "org.apache.camel:camel-leveldb" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.14.0" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "< 4.14.8" + } + }, + { + "package": { + "ecosystem": "Maven", + "name": "org.apache.camel:camel-leveldb" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.18.0" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "< 4.18.3" + } + }, + { + "package": { + "ecosystem": "Maven", + "name": "org.apache.camel:camel-leveldb" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.20.0" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "< 4.21.0" + } + }, + { + "package": { + "ecosystem": "Maven", + "name": "org.apache.camel:camel-cassandraql" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.14.0" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "< 4.14.8" + } + }, + { + "package": { + "ecosystem": "Maven", + "name": "org.apache.camel:camel-cassandraql" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.18.0" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "< 4.18.3" + } + }, + { + "package": { + "ecosystem": "Maven", + "name": "org.apache.camel:camel-cassandraql" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.20.0" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "< 4.21.0" + } + }, + { + "package": { + "ecosystem": "Maven", + "name": "org.apache.camel:camel-consul" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.14.0" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "< 4.14.8" + } + }, + { + "package": { + "ecosystem": "Maven", + "name": "org.apache.camel:camel-consul" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.18.0" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "< 4.18.3" + } + }, + { + "package": { + "ecosystem": "Maven", + "name": "org.apache.camel:camel-consul" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.20.0" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "< 4.21.0" + } + }, + { + "package": { + "ecosystem": "Maven", + "name": "org.apache.camel:camel-sql" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.14.0" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "< 4.14.8" + } + }, + { + "package": { + "ecosystem": "Maven", + "name": "org.apache.camel:camel-sql" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.18.0" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "< 4.18.3" + } + }, + { + "package": { + "ecosystem": "Maven", + "name": "org.apache.camel:camel-sql" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.20.0" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "< 4.21.0" + } + } + ], "references": [ { "type": "ADVISORY", @@ -26,6 +712,10 @@ { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2026/07/05/4" + }, + { + "type": "PACKAGE", + "url": "https://github.com/apache/camel/tree/main/components/camel-jms" } ], "database_specific": {