9 August 2017
Apache Camel’s Validation Component is vulnerable against SSRF via remote DTDs and XXE, as described in CVE-2017-5643
To protect against such attacks the system should be updated to Akka 2.4.20, 2.5.4 or later. Dependencies to Camel libraries should be updated to version 2.17.7.
- Akka 2.4.19 and prior
- Akka 2.5.3 and prior
We have prepared patches for the affected versions, and have released the following versions which resolve the issue:
- Akka 2.4.20 (Scala 2.11, 2.12)
- Akka 2.5.4 (Scala 2.11, 2.12)
We would like to thank Thomas Szymanski for bringing this issue to our attention.