Yeah or maybe just.
Writing files using FILE or FTP components, can potentially be
exploited by a malicious user.
On Mon, Sep 30, 2013 at 12:51 PM, Christian Müller
<christian.muel...@gmail.com> wrote:
> It's a bit long...
>
> What's with:
> CVE-2013-4330 - The FILE and FTP producer interprets the header
> 'CamelFileName' as simple language expression if it matches '$simple{...}'.
>
> Best,
> Christian
> -----------------
>
> Software Integration Specialist
>
> Apache Camel committer: https://camel.apache.org/team
> V.P. Apache Camel: https://www.apache.org/foundation/
> Apache Member: https://www.apache.org/foundation/members.html
>
> https://www.linkedin.com/pub/christian-mueller/11/551/642
>
>
> On Mon, Sep 30, 2013 at 12:31 PM, Claus Ibsen <claus.ib...@gmail.com> wrote:
>
>> I would suggest to update the title on the page
>> http://camel.apache.org/security-advisories.html
>>
>> From:
>> CVE-2013-4330 - Apache Camel critical disclosure vulnerability
>>
>> To:
>> CVE-2013-4330 - When sending an Exchange with the in Message Header
>> 'CamelFileName' with a value of '$simple{...}' to a FILE or FTP
>> producer, it will interpret the value as simple language expression
>> which can be exploited by a malicious user.
>>
>> Or something better to say what the issue is about.
>>
>> On Mon, Sep 30, 2013 at 12:24 PM, Christian Müller
>> <christian.muel...@gmail.com> wrote:
>> > -----BEGIN PGP SIGNED MESSAGE-----
>> > Hash: SHA1
>> >
>> > CVE-2013-4330: Apache Camel critical disclosure vulnerability
>> >
>> > Severity: Critical
>> >
>> > Vendor: The Apache Software Foundation
>> >
>> > Versions Affected: Camel 2.9.0 to 2.9.7, Camel 2.10.0 to 2.10.6, Camel
>> > 2.11.0 to 2.11.1, Camel 2.12.0
>> > The unsupported Camel 2.3.x, 2.4.x, 2.5.x, 2.6.x, 2.7.x and 2.8.x
>> versions
>> > may be also affected.
>> >
>> > Description: When sending an Exchange with the in Message Header
>> > 'CamelFileName' with a value of '$simple{...}' to a FILE or FTP producer,
>> > it will interpret the value as simple language expression which can be
>> > exploited by a malicious user.
>> >
>> > Mitigation: 2.9.x users should upgrade to 2.9.8, 2.10.x users should
>> > upgrade to 2.10.7, 2.11.x users should upgrade to 2.11.2 and 2.12.0 users
>> > should upgrade to 2.12.1. This patch will be included from Camel 2.13.0:
>> >
>> https://git-wip-us.apache.org/repos/asf?p=camel.git;a=commitdiff;h=27a9752a565fbef436bac4fcf22d339e3295b2a0
>> >
>> > Example: Create a simple route which moves files from one directory to
>> > another, e.g.:
>> > from("file:c:/tmp/in")
>> > .to("file:/c:/tmp/out");
>> >
>> > If you are using Windows, create an file with the name
>> >
>> "$simple{camelContext.getClassResolver.resolveClass('java.lang.Runtime').getDeclaredMethods()[5].invoke(null,null).exec('calc.exe')}"
>> > (without the quotes)
>> > and drop it into the "c:/tmp/in" directory. The file consumer will read
>> and
>> > process this file. It will also set the Exchange in Message Header
>> > 'CamelFileName' with the value
>> >
>> "$simple{camelContext.getClassResolver.resolveClass('java.lang.Runtime').getDeclaredMethods()[5].invoke(null,null).exec('calc.exe')}".
>> > In the next step, the file producer will interpreted the value of this
>> > header as simple language expression and in this case, the Windows
>> > calculator application will be started.
>> >
>> > Credit: This issue was discovered by Grégory Draperi.
>> >
>> > References: http://camel.apache.org/security-advisories.html
>> >
>> > -----BEGIN PGP SIGNATURE-----
>> > Version: GnuPG/MacGPG2 v2.0.18 (Darwin)
>> > Comment: GPGTools - http://gpgtools.org
>> >
>> > iQIcBAEBAgAGBQJSSUxLAAoJEImh9lEqI5wsxY8P/2NUDc0uEbqMKCu+gp9n0yDz
>> > +0JQebcQiIo/tuwmI6/HhQiF9asy3RZTQ4VCc6KelxWW7lB4Gmi9tq71bSfcf+uu
>> > 3o3ewNNbh+/vDcDKowOQnZlsD+9xW4fD/VOJt2obCapbLvS1tbLxY4lLly/fCETt
>> > DJPExaAhicJQSX0X+jNAAJus5B0JUnAy2QMBj2ZDBPieH82RqtqQ44JtZsd/lyjH
>> > d+PRhI44CLramTBX2HQYQtl/RR/sbzGosvbtQV91JL0j26dDMYDeLtVo+GWpjtw6
>> > QuKrHvinBF6KKGd2aHEHYPP7yi2nQxlFlvPpEkf/YROKMR+JzyerZmsn5ziylrA7
>> > NYlDsQ1LRRJOMiHC9aEOk5Y1++QoQ65EWJfRc2QB320tmGlCGUtXCM/nydyj7rDX
>> > UOnnN9K5BMyPdk9qfgMWrUXVZyG8KKOwIDA9fMc4y/3wybllzBOsxidkDx8WbZsk
>> > MWmoqtp7EJBIUAm4EmLV1LOD2tBBmXlA0GsdirgXgeoSYb/3lI6HRdMIS0HU3Uu8
>> > jG7huiMrUTOkZz7Cs5Pome9ZFWkmfCrTSrOI6zTvcEleuimb2SK2FrHtymQi4dFh
>> > DY7s63z52Ic1i7yJKLP5geVDQAaZesftwCFQtVJXF0+0uwuXUvOsCScaxNdVJM/Z
>> > seH3FliiPjZJoEHV0fP7
>> > =CQKT
>> > -----END PGP SIGNATURE-----
>> >
>> >
>> > On behalf of the Camel PMC,
>> > Christian Müller
>> >
>> > V.P. Apache Camel: https://www.apache.org/foundation/
>>
>>
>>
>> --
>> Claus Ibsen
>> -----------------
>> Red Hat, Inc.
>> Email: cib...@redhat.com
>> Twitter: davsclaus
>> Blog: http://davsclaus.com
>> Author of Camel in Action: http://www.manning.com/ibsen
>>
--
Claus Ibsen
-----------------
Red Hat, Inc.
Email: cib...@redhat.com
Twitter: davsclaus
Blog: http://davsclaus.com
Author of Camel in Action: http://www.manning.com/ibsen
