Specialists in a hacking course have published the discovery of multiple vulnerabilities in Apache Camel, the routing and rule-based mediation engine that provides a Java object-based implementation of the patterns proposed in Enterprise Integration Patterns. Exploiting these failures would allow the deployment of various risk scenarios for administrators of compromised deployments.
Below are brief descriptions of the reported flaws, in addition to their respective Common Vulnerability Scoring System (CVSS) identification keys and scores.
CVE-2020-11973: This vulnerability would allow a remote threat actor to execute arbitrary code on the target system. According to the hacking course specialists, the vulnerability exists due to Apache Camel Netty, which enables Java deserialization by default. A malicious hacker could pass specially designed data to the application and execute arbitrary code, which could result in the total compromise of the vulnerable system.
It is worth mentioning that the reported vulnerabilities are present in the following versions of Apache Camel: 2.20.0, 2.20.1, 2.20.2, 2.20.3, 2.20.4, 2.21.0, 2.21.1, 2.21.2, 2.21.3, 2.21.4, 2.21.5, 2.22.0 , 2.22.1, 2.22.2, 2.22.3, 2.22.4, 2.22.5, 2.23.0, 2.23.1, 2.23.2, 2.23.3, 2.23.4, 2.24.0 2.24.1, 2.24 .2, 2.24.3, 2.25.0, 3.0.0, 3.0.1 & 3.1.0.
Although the vulnerability can be exploited remotely and without authentication, the finding of some useful exploit for this attack has not been reported. The flaw received a score of 8.5/10, so it is considered a serious error.
CVE-2020-11972: Exploiting this flaw allows remote hackers to execute arbitrary code on the target system. The flaw exists because Apache Camel RabbitMQ enables Java deserialization by default. A threat actor could pass data specially designed to execute arbitrary code on the vulnerable system, leading to total compromise.
This vulnerability can be exploited remotely, but the existence of a functional exploit for the attack is unknown. This flaw received a score of 8.5/10 on the CVSS scale.
CVE-2020-11971: Exploiting this vulnerability would allow a remote threat actor to perform some variants of phishing attack. This flaw exists because Apache Camel JMX is vulnerable to DNS binding attacks, so malicious hackers could send specially designed data to the application.
Like previous flaw, CVE-2020-11971 can be exploited remotely by an unauthenticated hacker, although the presence of an exploit has not been reported to trigger the attack. The flaw received a score of 4.7/10, so it is considered a moderate gravity error, the specialists of the hacking course mentioned.
According to the International Institute of Cyber Security (IICS), all reported vulnerabilities have already been fixed, so exposed deployment administrators should only install the latest available version.