Camel Dependency, Fixed in Akka 2.5.4

Date

9 August 2017

Description of Vulnerability

Apache Camel’s Validation Component is vulnerable against SSRF via remote DTDs and XXE, as described in CVE-2017-5643

To protect against such attacks the system should be updated to Akka 2.4.20, 2.5.4 or later. Dependencies to Camel libraries should be updated to version 2.17.7.

Severity

The CVSS score of this vulnerability is 7.4 (High), according to CVE-2017-5643.

Affected Versions

  • Akka 2.4.19 and prior
  • Akka 2.5.3 and prior

Fixed Versions

We have prepared patches for the affected versions, and have released the following versions which resolve the issue:

  • Akka 2.4.20 (Scala 2.11, 2.12)
  • Akka 2.5.4 (Scala 2.11, 2.12)

Acknowledgements

We would like to thank Thomas Szymanski for bringing this issue to our attention.

The source code for this page can be found here.