Apache Camel security advisory: CVE-2014-0003

Severity

CRITICAL

Summary

The Apache Camel XSLT component allows XSL stylesheets to perform calls to external Java methods.

Versions affected

2.11.0 up to 2.11.3, 2.12.0 up to 2.12.2

Versions fixed

2.11.4, 2.12.3, 2.13.0 and newer

Description

The Apache Camel XSLT component allows XSL stylesheets to perform calls to external Java methods. A remote attacker able to submit messages to an xslt Camel route could use this flaw to perform arbitrary remote code execution in the context of the Camel server process.

Notes

Example: Create a simple route which receives an HTTP request, apply a (safe) stylesheet and store the result in a file:

<route>
  <from uri="servlet:///hello"/>
  <to uri="xslt:file:/tmp/transform.xsl" />
  <to uri="file:/tmp/output" />
</route>

If an attacker is able to submit a message to this route, they can provide a message that is an XML document containing external entities. These entities will be resolved, and their contents included in the output of the transformation performed by the xslt route.

Mitigation

2.11.x users should upgrade to 2.11.4, 2.12.x users should upgrade to 2.12.3. This patch will be included from Camel 2.13.0: https://git-wip-us.apache.org/repos/asf?p=camel.git;a=commitdiff;h=e922f89290f236f3107039de61af0375826bd96d

Credit

This issue was discovered by David Jorm.

References

PGP signed advisory data: CVE-2014-0003.txt.asc
Mitre CVE Entry: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0003