CVE-2020-11972
📋 TL;DR
Apache Camel RabbitMQ component has insecure default configuration that enables Java deserialization, allowing remote code execution. This affects Apache Camel versions 2.22.x through 2.25.0 and 3.0.0 through 3.1.0. Attackers can exploit this to execute arbitrary code on affected systems.
💻 Affected Systems
- Apache Camel
📦 What is this software?
Camel by Apache
Camel by Apache
Communications Diameter Signaling Router by Oracle
View all CVEs affecting Communications Diameter Signaling Router →
Enterprise Manager Base Platform by Oracle
Enterprise Manager Base Platform by Oracle
⚠️ Risk & Real-World Impact
Worst Case
Remote unauthenticated attacker gains full control of the system, leading to data theft, ransomware deployment, or complete system compromise.
Likely Case
Remote code execution leading to application compromise, data exfiltration, and lateral movement within the network.
If Mitigated
If proper network segmentation and access controls are in place, impact may be limited to the specific application instance.
🎯 Exploit Status
Exploitation requires sending malicious serialized objects to the RabbitMQ endpoint. Public proof-of-concept code exists.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.25.1 for 2.x, 3.2.0 for 3.x
Vendor Advisory: https://camel.apache.org/security/CVE-2020-11972.html
Restart Required: Yes
Instructions:
1. Identify Apache Camel version. 2. For 2.x: Upgrade to 2.25.1 or later. 3. For 3.x: Upgrade to 3.2.0 or later. 4. Restart the application.
🔧 Temporary Workarounds
Disable Java deserialization in RabbitMQ component
allConfigure the RabbitMQ component to disable Java object deserialization
Set 'allowSerializedHeaders' to false in RabbitMQ component configuration
Network segmentation
allRestrict network access to RabbitMQ endpoints
Configure firewall rules to limit access to RabbitMQ ports (default 5672, 5671)
🧯 If You Can't Patch
- Implement strict network access controls to limit exposure of RabbitMQ endpoints
- Monitor for suspicious deserialization attempts and Java process spawning
🔍 How to Verify
Check if Vulnerable:
Check Apache Camel version and RabbitMQ component configuration. If using affected versions and RabbitMQ component with default settings, system is vulnerable.Check Version:
Check application logs or configuration files for Apache Camel version. For Maven projects: mvn dependency:tree | grep camel-coreVerify Fix Applied:
Verify Apache Camel version is 2.25.1+ (2.x) or 3.2.0+ (3.x) and RabbitMQ component has 'allowSerializedHeaders' set to false.📡 Detection & Monitoring
Log Indicators:
- Java deserialization errors
- Unexpected Java class loading
- Suspicious process spawning from Camel application
Network Indicators:
- Unusual traffic to RabbitMQ ports (5672, 5671)
- Malformed serialized objects in network traffic
SIEM Query:
source="camel.logs" AND ("deserialization" OR "ClassNotFoundException" OR "InvalidClassException")🔗 References
- http://www.openwall.com/lists/oss-security/2020/05/14/10
- http://www.openwall.com/lists/oss-security/2020/05/14/8
- https://camel.apache.org/security/CVE-2020-11972.html
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
- http://www.openwall.com/lists/oss-security/2020/05/14/10
- http://www.openwall.com/lists/oss-security/2020/05/14/8
- https://camel.apache.org/security/CVE-2020-11972.html
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
