Camel Dependency, Fixed in Akka 2.5.4

Date

August 2017-08-09

Description of Vulnerability

Apache Camel’s Validation Component is vulnerable against SSRF via remote DTDs and XXE, as described in CVE-2017-5643

To protect against such attacks the system should be updated to Akka 2.4.20, 2.5.4 or later. Dependencies to Camel libraries should be updated to version 2.17.7.

Severity

The CVSS score of this vulnerability is 7.4 (High), according to CVE-2017-5643.

Affected Versions

Akka 2.4.19 and prior
Akka 2.5.3 and prior

Fixed Versions

We have prepared patches for the affected versions, and have released the following versions which resolve the issue:

Akka 2.4.20 (Scala 2.11, 2.12)
Akka 2.5.4 (Scala 2.11, 2.12)

Acknowledgements

We would like to thank Thomas Szymanski for bringing this issue to our attention.