Apache Camel's Jetty/Servlet usage is vulnerable to Java object de-serialisation vulnerability
If using camel-jetty, or camel-servlet as a consumer in Camel routes, then Camel will automatic de-serialize HTTP requests that uses the content-header: application/x-java-serialized-object.

Please study this security vulnerability carefully!

  • CVE-2015-5348 - [1]

You can download the fixed Apache Camel 2.15.x and 2.16.x version from the Apache mirrors [2] or from the Central Maven repository.

[1] http://camel.apache.org/security-advisories.data/CVE-2015-5348.txt.asc?version=1&modificationDate=1450340845000&api=v2
[2] http://camel.apache.org/download

On behalf of the Camel PMC,
Claus Ibsen
© 2004-2015 The Apache Software Foundation.
Apache Camel, Camel, Apache, the Apache feather logo, and the Apache Camel project logo are trademarks of The Apache Software Foundation. All other marks mentioned may be trademarks or registered trademarks of their respective owners.
Graphic Design By Hiram