I would suggest to update the title on the page
http://camel.apache.org/security-advisories.html
From:
CVE-2013-4330 - Apache Camel critical disclosure vulnerability
To:
CVE-2013-4330 - When sending an Exchange with the in Message Header
'CamelFileName' with a value of '$simple{...}' to a FILE or FTP
producer, it will interpret the value as simple language expression
which can be exploited by a malicious user.
Or something better to say what the issue is about.
On Mon, Sep 30, 2013 at 12:24 PM, Christian Müller
<christian.muel...@gmail.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> CVE-2013-4330: Apache Camel critical disclosure vulnerability
>
> Severity: Critical
>
> Vendor: The Apache Software Foundation
>
> Versions Affected: Camel 2.9.0 to 2.9.7, Camel 2.10.0 to 2.10.6, Camel
> 2.11.0 to 2.11.1, Camel 2.12.0
> The unsupported Camel 2.3.x, 2.4.x, 2.5.x, 2.6.x, 2.7.x and 2.8.x versions
> may be also affected.
>
> Description: When sending an Exchange with the in Message Header
> 'CamelFileName' with a value of '$simple{...}' to a FILE or FTP producer,
> it will interpret the value as simple language expression which can be
> exploited by a malicious user.
>
> Mitigation: 2.9.x users should upgrade to 2.9.8, 2.10.x users should
> upgrade to 2.10.7, 2.11.x users should upgrade to 2.11.2 and 2.12.0 users
> should upgrade to 2.12.1. This patch will be included from Camel 2.13.0:
> https://git-wip-us.apache.org/repos/asf?p=camel.git;a=commitdiff;h=27a9752a565fbef436bac4fcf22d339e3295b2a0
>
> Example: Create a simple route which moves files from one directory to
> another, e.g.:
> from("file:c:/tmp/in")
> .to("file:/c:/tmp/out");
>
> If you are using Windows, create an file with the name
> "$simple{camelContext.getClassResolver.resolveClass('java.lang.Runtime').getDeclaredMethods()[5].invoke(null,null).exec('calc.exe')}"
> (without the quotes)
> and drop it into the "c:/tmp/in" directory. The file consumer will read and
> process this file. It will also set the Exchange in Message Header
> 'CamelFileName' with the value
> "$simple{camelContext.getClassResolver.resolveClass('java.lang.Runtime').getDeclaredMethods()[5].invoke(null,null).exec('calc.exe')}".
> In the next step, the file producer will interpreted the value of this
> header as simple language expression and in this case, the Windows
> calculator application will be started.
>
> Credit: This issue was discovered by Grégory Draperi.
>
> References: http://camel.apache.org/security-advisories.html
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG/MacGPG2 v2.0.18 (Darwin)
> Comment: GPGTools - http://gpgtools.org
>
> iQIcBAEBAgAGBQJSSUxLAAoJEImh9lEqI5wsxY8P/2NUDc0uEbqMKCu+gp9n0yDz
> +0JQebcQiIo/tuwmI6/HhQiF9asy3RZTQ4VCc6KelxWW7lB4Gmi9tq71bSfcf+uu
> 3o3ewNNbh+/vDcDKowOQnZlsD+9xW4fD/VOJt2obCapbLvS1tbLxY4lLly/fCETt
> DJPExaAhicJQSX0X+jNAAJus5B0JUnAy2QMBj2ZDBPieH82RqtqQ44JtZsd/lyjH
> d+PRhI44CLramTBX2HQYQtl/RR/sbzGosvbtQV91JL0j26dDMYDeLtVo+GWpjtw6
> QuKrHvinBF6KKGd2aHEHYPP7yi2nQxlFlvPpEkf/YROKMR+JzyerZmsn5ziylrA7
> NYlDsQ1LRRJOMiHC9aEOk5Y1++QoQ65EWJfRc2QB320tmGlCGUtXCM/nydyj7rDX
> UOnnN9K5BMyPdk9qfgMWrUXVZyG8KKOwIDA9fMc4y/3wybllzBOsxidkDx8WbZsk
> MWmoqtp7EJBIUAm4EmLV1LOD2tBBmXlA0GsdirgXgeoSYb/3lI6HRdMIS0HU3Uu8
> jG7huiMrUTOkZz7Cs5Pome9ZFWkmfCrTSrOI6zTvcEleuimb2SK2FrHtymQi4dFh
> DY7s63z52Ic1i7yJKLP5geVDQAaZesftwCFQtVJXF0+0uwuXUvOsCScaxNdVJM/Z
> seH3FliiPjZJoEHV0fP7
> =CQKT
> -----END PGP SIGNATURE-----
>
>
> On behalf of the Camel PMC,
> Christian Müller
>
> V.P. Apache Camel: https://www.apache.org/foundation/
--
Claus Ibsen
-----------------
Red Hat, Inc.
Email: cib...@redhat.com
Twitter: davsclaus
Blog: http://davsclaus.com
Author of Camel in Action: http://www.manning.com/ibsen
