CVE-2024-22369: Deserialization of Untrusted Data vulnerability in Apache Camel SQL Component

A new vulnerability CVE-2024-22369 has been discovered in Apache Camel, a popular open-source integration framework based on Enterprise Integration Patterns. This vulnerability affects the SQL component of Apache Camel, leaving it vulnerable to the deserialization of untrusted data. The affected versions are 3.. before 3.21.4, 3.22. before 3.22.1, 4.. before 4..4, and 4.1. before 4.4.. It is highly recommended for users to upgrade to the latest patched version, depending on their current release stream.

Exploit Details

This vulnerability stems from the SQL component of Apache Camel not properly sanitizing input before deserializing data. Attackers can provide malicious serialized objects, which, when deserialized, can lead to Remote Code Execution, Unauthorized Access, or other security breaches.

Here is a code snippet showcasing the insecure deserialization in the SQL component

public class SQLComponent extends DefaultComponent {
    ...
    protected Endpoint createEndpoint(String uri, String remaining, Map<String, Object> parameters) throws Exception {
        SQLConfiguration configuration = new SQLConfiguration();
        SQL sql = new SQL();
        // Deserialize and configure the SQL object
        setProperties(sql, parameters);
        // Configure the SQL component
        configuration.setSql(sql);
        SQLEndpoint endpoint = new SQLEndpoint(uri, this, configuration);
        ...
        return endpoint;
    }
    ...
}

Mitigation

To protect your systems from this vulnerability, it is strongly recommended to upgrade to the secure version of Apache Camel. The following stable versions have been patched for this issue:

If you are on the 4..x LTS releases stream, you should upgrade to version 4..4.

- If you are on the 3.x release stream, you should upgrade to either version 3.21.4 or 3.22.1, depending on your current version.

Users can download the fixed versions from the Apache Camel official website or apply the patch following the instructions provided by the Apache Camel security team: Apache Camel Security Advisories

Conclusion

CVE-2024-22369 is a critical vulnerability affecting the SQL component of Apache Camel. It is crucial to keep your systems up-to-date and to apply the recommended patches to prevent attackers from exploiting this deserialization vulnerability. Always review your codebase for deserialization of untrusted data and apply proper sanitization measures and follow secure coding practices to avoid such security issues in the future.

Timeline

Published on: 02/20/2024 15:15:10 UTC
Last modified on: 02/20/2024 19:50:53 UTC