rhsa-2014_0140
Vulnerability from csaf_redhat
Published
2014-02-05 17:42
Modified
2024-09-13 08:27
Summary
Red Hat Security Advisory: Apache Camel security update
Notes
Topic
An update for the Apache Camel component that fixes one security issue is
now available from the Red Hat Customer Portal for Red Hat JBoss BRMS
6.0.0, and Red Hat JBoss BPMS 6.0.0.
The Red Hat Security Response Team has rated this update as having
important security impact. Common Vulnerability Scoring System (CVSS) base
score, which gives detailed severity rating, is available from the CVE link
in the References section.
Details
Apache Camel is a versatile open-source integration framework based on
known Enterprise Integration Patterns.
A flaw was found in Apache Camel's parsing of the FILE_NAME header.
A remote attacker able to submit messages to a Camel route, which would
write the provided message to a file, could provide expression language
(EL) expressions in the FILE_NAME header that would be evaluated on the
server. This could lead to arbitrary remote code execution in the context
of the Camel server process. (CVE-2013-4330)
All users of the affected products as provided from the Red Hat Customer
Portal are advised to apply this update.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_vex",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for the Apache Camel component that fixes one security issue is\nnow available from the Red Hat Customer Portal for Red Hat JBoss BRMS\n6.0.0, and Red Hat JBoss BPMS 6.0.0.\n\nThe Red Hat Security Response Team has rated this update as having\nimportant security impact. Common Vulnerability Scoring System (CVSS) base\nscore, which gives detailed severity rating, is available from the CVE link\nin the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Apache Camel is a versatile open-source integration framework based on\nknown Enterprise Integration Patterns.\n\nA flaw was found in Apache Camel\u0027s parsing of the FILE_NAME header.\nA remote attacker able to submit messages to a Camel route, which would\nwrite the provided message to a file, could provide expression language\n(EL) expressions in the FILE_NAME header that would be evaluated on the\nserver. This could lead to arbitrary remote code execution in the context\nof the Camel server process. (CVE-2013-4330)\n\nAll users of the affected products as provided from the Red Hat Customer\nPortal are advised to apply this update.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat offerings.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2014:0140",
"url": "https://access.redhat.com/errata/RHSA-2014:0140"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=brms\u0026downloadType=securityPatches\u0026version=6.0.0",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=brms\u0026downloadType=securityPatches\u0026version=6.0.0"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=bpm.suite\u0026downloadType=securityPatches\u0026version=6.0.0",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=bpm.suite\u0026downloadType=securityPatches\u0026version=6.0.0"
},
{
"category": "external",
"summary": "1011726",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1011726"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/data/csaf/v2/advisories/2014/rhsa-2014_0140.json"
}
],
"title": "Red Hat Security Advisory: Apache Camel security update",
"tracking": {
"current_release_date": "2024-09-13T08:27:57+00:00",
"generator": {
"date": "2024-09-13T08:27:57+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "3.33.3"
}
},
"id": "RHSA-2014:0140",
"initial_release_date": "2014-02-05T17:42:18+00:00",
"revision_history": [
{
"date": "2014-02-05T17:42:18+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2020-06-15T16:41:29+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-09-13T08:27:57+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat JBoss BPMS 6.0",
"product": {
"name": "Red Hat JBoss BPMS 6.0",
"product_id": "Red Hat JBoss BPMS 6.0",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_bpms:6.0"
}
}
},
{
"category": "product_name",
"name": "Red Hat JBoss BRMS 6.0",
"product": {
"name": "Red Hat JBoss BRMS 6.0",
"product_id": "Red Hat JBoss BRMS 6.0",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_brms:6.0"
}
}
}
],
"category": "product_family",
"name": "Red Hat JBoss Middleware"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2013-4330",
"discovery_date": "2013-09-11T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1011726"
}
],
"notes": [
{
"category": "description",
"text": "Apache Camel before 2.9.7, 2.10.0 before 2.10.7, 2.11.0 before 2.11.2, and 2.12.0 allows remote attackers to execute arbitrary simple language expressions by including \"$simple{}\" in a CamelFileName message header to a (1) FILE or (2) FTP producer.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Camel: remote code execution via header field manipulation",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss BPMS 6.0",
"Red Hat JBoss BRMS 6.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2013-4330"
},
{
"category": "external",
"summary": "RHBZ#1011726",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1011726"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2013-4330",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-4330"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2013-4330",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-4330"
}
],
"release_date": "2013-09-30T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"details": "The References section of this erratum contains download links (you must\nlog in to download the updates). Before applying the updates, back up your\nexisting installation, including all applications, configuration files,\ndatabases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application\nServer process before installing this update, and then after installing the\nupdate, restart the server by starting the JBoss Application Server\nprocess.",
"product_ids": [
"Red Hat JBoss BPMS 6.0",
"Red Hat JBoss BRMS 6.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2014:0140"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"products": [
"Red Hat JBoss BPMS 6.0",
"Red Hat JBoss BRMS 6.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "Camel: remote code execution via header field manipulation"
}
]
}
Loading...