Ok, done. Best, Christian -----------------
Software Integration Specialist Apache Camel committer: https://camel.apache.org/team V.P. Apache Camel: https://www.apache.org/foundation/ Apache Member: https://www.apache.org/foundation/members.html https://www.linkedin.com/pub/christian-mueller/11/551/642 On Mon, Sep 30, 2013 at 12:56 PM, Claus Ibsen <claus.ib...@gmail.com> wrote: > Yeah or maybe just. > > Writing files using FILE or FTP components, can potentially be > exploited by a malicious user. > > > On Mon, Sep 30, 2013 at 12:51 PM, Christian Müller > <christian.muel...@gmail.com> wrote: > > It's a bit long... > > > > What's with: > > CVE-2013-4330 - The FILE and FTP producer interprets the header > > 'CamelFileName' as simple language expression if it matches > '$simple{...}'. > > > > Best, > > Christian > > ----------------- > > > > Software Integration Specialist > > > > Apache Camel committer: https://camel.apache.org/team > > V.P. Apache Camel: https://www.apache.org/foundation/ > > Apache Member: https://www.apache.org/foundation/members.html > > > > https://www.linkedin.com/pub/christian-mueller/11/551/642 > > > > > > On Mon, Sep 30, 2013 at 12:31 PM, Claus Ibsen <claus.ib...@gmail.com> > wrote: > > > >> I would suggest to update the title on the page > >> http://camel.apache.org/security-advisories.html > >> > >> From: > >> CVE-2013-4330 - Apache Camel critical disclosure vulnerability > >> > >> To: > >> CVE-2013-4330 - When sending an Exchange with the in Message Header > >> 'CamelFileName' with a value of '$simple{...}' to a FILE or FTP > >> producer, it will interpret the value as simple language expression > >> which can be exploited by a malicious user. > >> > >> Or something better to say what the issue is about. > >> > >> On Mon, Sep 30, 2013 at 12:24 PM, Christian Müller > >> <christian.muel...@gmail.com> wrote: > >> > -----BEGIN PGP SIGNED MESSAGE----- > >> > Hash: SHA1 > >> > > >> > CVE-2013-4330: Apache Camel critical disclosure vulnerability > >> > > >> > Severity: Critical > >> > > >> > Vendor: The Apache Software Foundation > >> > > >> > Versions Affected: Camel 2.9.0 to 2.9.7, Camel 2.10.0 to 2.10.6, Camel > >> > 2.11.0 to 2.11.1, Camel 2.12.0 > >> > The unsupported Camel 2.3.x, 2.4.x, 2.5.x, 2.6.x, 2.7.x and 2.8.x > >> versions > >> > may be also affected. > >> > > >> > Description: When sending an Exchange with the in Message Header > >> > 'CamelFileName' with a value of '$simple{...}' to a FILE or FTP > producer, > >> > it will interpret the value as simple language expression which can be > >> > exploited by a malicious user. > >> > > >> > Mitigation: 2.9.x users should upgrade to 2.9.8, 2.10.x users should > >> > upgrade to 2.10.7, 2.11.x users should upgrade to 2.11.2 and 2.12.0 > users > >> > should upgrade to 2.12.1. This patch will be included from Camel > 2.13.0: > >> > > >> > https://git-wip-us.apache.org/repos/asf?p=camel.git;a=commitdiff;h=27a9752a565fbef436bac4fcf22d339e3295b2a0 > >> > > >> > Example: Create a simple route which moves files from one directory to > >> > another, e.g.: > >> > from("file:c:/tmp/in") > >> > .to("file:/c:/tmp/out"); > >> > > >> > If you are using Windows, create an file with the name > >> > > >> > "$simple{camelContext.getClassResolver.resolveClass('java.lang.Runtime').getDeclaredMethods()[5].invoke(null,null).exec('calc.exe')}" > >> > (without the quotes) > >> > and drop it into the "c:/tmp/in" directory. The file consumer will > read > >> and > >> > process this file. It will also set the Exchange in Message Header > >> > 'CamelFileName' with the value > >> > > >> > "$simple{camelContext.getClassResolver.resolveClass('java.lang.Runtime').getDeclaredMethods()[5].invoke(null,null).exec('calc.exe')}". > >> > In the next step, the file producer will interpreted the value of this > >> > header as simple language expression and in this case, the Windows > >> > calculator application will be started. > >> > > >> > Credit: This issue was discovered by Grégory Draperi. > >> > > >> > References: http://camel.apache.org/security-advisories.html > >> > > >> > -----BEGIN PGP SIGNATURE----- > >> > Version: GnuPG/MacGPG2 v2.0.18 (Darwin) > >> > Comment: GPGTools - http://gpgtools.org > >> > > >> > iQIcBAEBAgAGBQJSSUxLAAoJEImh9lEqI5wsxY8P/2NUDc0uEbqMKCu+gp9n0yDz > >> > +0JQebcQiIo/tuwmI6/HhQiF9asy3RZTQ4VCc6KelxWW7lB4Gmi9tq71bSfcf+uu > >> > 3o3ewNNbh+/vDcDKowOQnZlsD+9xW4fD/VOJt2obCapbLvS1tbLxY4lLly/fCETt > >> > DJPExaAhicJQSX0X+jNAAJus5B0JUnAy2QMBj2ZDBPieH82RqtqQ44JtZsd/lyjH > >> > d+PRhI44CLramTBX2HQYQtl/RR/sbzGosvbtQV91JL0j26dDMYDeLtVo+GWpjtw6 > >> > QuKrHvinBF6KKGd2aHEHYPP7yi2nQxlFlvPpEkf/YROKMR+JzyerZmsn5ziylrA7 > >> > NYlDsQ1LRRJOMiHC9aEOk5Y1++QoQ65EWJfRc2QB320tmGlCGUtXCM/nydyj7rDX > >> > UOnnN9K5BMyPdk9qfgMWrUXVZyG8KKOwIDA9fMc4y/3wybllzBOsxidkDx8WbZsk > >> > MWmoqtp7EJBIUAm4EmLV1LOD2tBBmXlA0GsdirgXgeoSYb/3lI6HRdMIS0HU3Uu8 > >> > jG7huiMrUTOkZz7Cs5Pome9ZFWkmfCrTSrOI6zTvcEleuimb2SK2FrHtymQi4dFh > >> > DY7s63z52Ic1i7yJKLP5geVDQAaZesftwCFQtVJXF0+0uwuXUvOsCScaxNdVJM/Z > >> > seH3FliiPjZJoEHV0fP7 > >> > =CQKT > >> > -----END PGP SIGNATURE----- > >> > > >> > > >> > On behalf of the Camel PMC, > >> > Christian Müller > >> > > >> > V.P. Apache Camel: https://www.apache.org/foundation/ > >> > >> > >> > >> -- > >> Claus Ibsen > >> ----------------- > >> Red Hat, Inc. > >> Email: cib...@redhat.com > >> Twitter: davsclaus > >> Blog: http://davsclaus.com > >> Author of Camel in Action: http://www.manning.com/ibsen > >> > > > > -- > Claus Ibsen > ----------------- > Red Hat, Inc. > Email: cib...@redhat.com > Twitter: davsclaus > Blog: http://davsclaus.com > Author of Camel in Action: http://www.manning.com/ibsen >
