Apache Camel security advisory: CVE-2013-4330

Severity

CRITICAL

Summary

Writing files using FILE or FTP components, can potentially be exploited by a malicious user.

Versions affected

2.9.0 up to 2.9.7, 2.10.0 up to 2.10.6, 2.11.0 up to 2.11.1, 2.12.0

Versions fixed

2.9.8, 2.10.7, 2.11.2, 2.12.1 and newer

Description

When sending an Exchange with the in Message Header 'CamelFileName' with a value of '$simple{...}' to a FILE or FTP producer, it will interpret the value as simple language expression which can be exploited by a malicious user.

Notes

Example: Create a simple route which moves files from one directory to another, e.g.:

from("file:c:/tmp/in")
  .to("file:/c:/tmp/out");

If you are using Windows, create an file with a name like "$simple{<some malicious code>}" (without the quotes) and drop it into the “c:/tmp/in” directory. The file consumer will read and process this file. It will also set the Exchange in Message Header ‘CamelFileName’ with the value "$simple{<some malicious code>}". In the next step, the file producer will interpreted the value of this header as simple language expression and execute the malicious code.

Mitigation

2.9.x users should upgrade to 2.9.8, 2.10.x users should upgrade to 2.10.7, 2.11.x users should upgrade to 2.11.2 and 2.12.0 users should upgrade to 2.12.1. This patch will be included from Camel 2.13.0: https://git-wip-us.apache.org/repos/asf?p=camel.git;a=commitdiff;h=27a9752a565fbef436bac4fcf22d339e3295b2a0

Credit

This issue was discovered by Grégory Draperi

References

PGP signed advisory data: CVE-2013-4330.txt.asc
Mitre CVE Entry: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4330