Apache Camel Header Injection Vulnerability in HTTP Components

A bypass/injection vulnerability has been identified in Apache Camel versions 4.10.0 prior to 4.10.2, 4.8.0 prior to 4.8.5, and 3.10.0 prior to 3.22.4. This vulnerability arises from an issue in the default header filtering mechanism, which only blocks headers starting with 'Camel', 'camel', or 'org.apache.camel.'. Attackers can exploit this by injecting custom headers that may alter the behavior of certain Camel components. For instance, in the 'camel-bean' component, an injected header could invoke a different method on a bean than originally intended. Similarly, with the 'camel-jms' component, a malicious header could redirect a message to an unintended queue on the same broker.

Impact

Exploitation of this vulnerability allows for unauthorized injection of headers that can manipulate the behavior of Apache Camel components, particularly 'camel-bean' and 'camel-jms', leading to unauthorized method invocations and message redirection, respectively.

Reproduction

To reproduce this vulnerability, set up an Apache Camel application using one of the vulnerable versions. Ensure that the application is connected to the internet via HTTP and is using a component that relies on the default header filter strategy, such as 'camel-servlet', 'camel-jetty', 'camel-undertow', 'camel-platform-http', or 'camel-netty-http'. In the Camel route, direct the exchange to a 'camel-bean' producer that has a bean with multiple methods implemented. Once the application is running, inject custom HTTP headers that bypass the default filtering, targeting the 'camel-bean' component to invoke unintended methods on the bean.

Remediation

Upgrade to Apache Camel versions 4.10.2, 4.8.5, or 3.22.4. As an additional step, remove or filter out unwanted headers in the Camel routes using the 'removeHeaders' Enterprise Integration Pattern (EIP).