Camel Dependency, Fixed in Akka 2.5.4
Date
9 August 2017
Description of Vulnerability
Apache Camel’s Validation Component is vulnerable against SSRF via remote DTDs and XXE, as described in CVE-2017-5643
To protect against such attacks the system should be updated to Akka 2.4.20, 2.5.4 or later. Dependencies to Camel libraries should be updated to version 2.17.7.
Severity
The CVSS score of this vulnerability is 7.4 (High), according to CVE-2017-5643.
Affected Versions
- Akka 2.4.19 and prior
- Akka 2.5.3 and prior
Fixed Versions
We have prepared patches for the affected versions, and have released the following versions which resolve the issue:
- Akka 2.4.20 (Scala 2.11, 2.12)
- Akka 2.5.4 (Scala 2.11, 2.12)
Acknowledgements
We would like to thank Thomas Szymanski for bringing this issue to our attention.