Apache Camel Security Advisory - CVE-2014-0002

Apache Camel security advisory: CVE-2014-0002

Severity

CRITICAL

Summary

The Apache Camel XSLT component will resolve entities in XML messages when transforming them using an xslt route.

Versions affected

2.11.0 up to 2.11.3, 2.12.0 up to 2.12.2

Versions fixed

2.11.4, 2.12.3, 2.13.0 and newer

Description

The Apache Camel XSLT component will resolve entities in XML messages when transforming them using an xslt route. A remote attacker able to submit messages to an xslt route could use this flaw to read files accessible to the running application server and potentially perform other more advanced XXE attacks.

Notes

Example: Create a simple route which receives an HTTP request, apply a (safe) stylesheet and store the result in a file:

<route>
  <from uri="servlet:///hello"/>
  <to uri="xslt:file:/tmp/transform.xsl" />
  <to uri="file:/tmp/output" />
</route>

If an attacker is able to submit a message to this route, they can provide a message that is an XML document containing external entities. These entities will be resolved, and their contents included in the output of the transformation performed by the xslt route.

Mitigation

2.11.x users should upgrade to 2.11.4, 2.12.x users should upgrade to 2.12.3. This patch will be included from Camel 2.13.0: https://git-wip-us.apache.org/repos/asf?p=camel.git;a=commitdiff;h=341d4e6cca71c53c90962d1c3d45fc9e05cc50c6

Credit

This issue was discovered by David Jorm.

References

PGP signed advisory data: CVE-2014-0002.txt.asc
Mitre CVE Entry: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0002