Apache Camel Header Injection Vulnerability Allowing Arbitrary Command Execution

A header injection vulnerability has been identified in Apache Camel versions 4.10.0 prior to 4.10.2, 4.8.0 prior to 4.8.5, and 3.10.0 prior to 3.22.4. This vulnerability resides in Camel's default incoming header filter, which improperly validates header names. As a result, an attacker can inject Camel-specific headers that may alter the behavior of certain components, such as 'camel-bean' or 'camel-exec'. Exploitation is possible if the Camel application is exposed to the internet via HTTP and uses specific vulnerable components. The issue can be exploited by including malicious headers or parameters in HTTP requests, which are then translated into headers that can manipulate the application's behavior.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the server where the vulnerable Apache Camel application is running.

Reproduction

To reproduce this vulnerability, first deploy an Apache Camel application using a vulnerable version and one of the affected HTTP components (camel-servlet, camel-jetty, camel-undertow, camel-platform-http, or camel-netty-http). The application should be configured to route exchanges to a 'camel-bean' producer that invokes a bean with multiple methods. Once the application is running, send an HTTP request to the exposed endpoint, including a 'CAmelExecCommandExecutable' header with a command to execute. The response will reveal the output of the executed command, demonstrating successful exploitation.

Remediation

Upgrade to Apache Camel versions 4.10.2, 4.8.5, or 3.22.4. Additionally, users can implement the 'removeHeaders' Enterprise Integration Pattern (EIP) to filter out headers that do not comply with the default naming conventions.