Miggo Logo
Miggo Vulnerability Database
CVE-2017-12633

CVE-2017-12633: Apache Camel camel-hessian component vulnerable to Java object deserialization

9.8

CVSS Score
3.0

Basic Information

CVE ID
CVE-2017-12633
GHSA ID
GHSA-5whj-523x-6j68
EPSS Score
0.86924%
CWE
CWE-502
Published
5/14/2022
Updated
2/2/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.apache.camel:camel-hessianmaven>= 2.0, < 2.19.42.19.4
org.apache.camel:camel-hessianmaven= 2.20.02.20.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability centers around unsafe Java deserialization in the Hessian component. The primary vulnerable function is HessianDataFormat.unmarshal() which lacked class filtering pre-patch. During exploitation, the call stack would show the Camel component initiating deserialization (HessianDataFormat) followed by Hessian's internal serialization mechanisms (SerializerFactory). The high confidence for HessianDataFormat comes from direct references in security advisories and JIRA tickets, while SerializerFactory is inferred from typical Hessian exploitation patterns.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** **m*l-**ssi*n *ompon*nt in *p**** **m*l *.x ***or* *.**.* *n* *.**.x ***or* *.**.* is vuln*r**l* to J*v* o*j**t **-s*ri*lis*tion vuln*r**ility. **-s*ri*lizin* untrust** **t* **n l*** to s**urity *l*ws.

Reasoning

T** vuln*r**ility **nt*rs *roun* uns*** J*v* **s*ri*liz*tion in t** **ssi*n *ompon*nt. T** prim*ry vuln*r**l* *un*tion is `**ssi*n**t**orm*t.unm*rs**l()` w*i** l**k** *l*ss *ilt*rin* pr*-p*t**. *urin* *xploit*tion, t** **ll st**k woul* s*ow t** `**m*