Apache Camel Camel-Undertow Message Header Injection Vulnerability

A bypass/injection vulnerability has been identified in the Apache Camel Camel-Undertow component, specifically in versions 4.10.0 prior to 4.10.3 and 4.8.0 prior to 4.8.6. This vulnerability arises from the component's custom header filter strategy, which only filters outgoing headers and not incoming ones. As a result, an attacker can inject Camel-specific headers that may alter the behavior of certain components, such as camel-bean or camel-exec. The vulnerability is exploitable when Camel applications are directly connected to the internet via HTTP, allowing the injection of malicious HTTP headers or request parameters that are translated into headers.

Impact

Exploitation of this vulnerability allows for Camel message header injection, which can disrupt the normal functioning of Camel components that rely on header information, such as camel-bean and camel-exec. In the case of the camel-bean component, an attacker could manipulate header injections to invoke unintended methods on a bean, potentially leading to unauthorized actions or data exposure. Similarly, with camel-jms, a malicious header could redirect messages to a different queue than intended.

Reproduction

To reproduce this vulnerability, first ensure that an Apache Camel application is running with the Camel-Undertow component and is directly connected to the internet via HTTP. Then, send an HTTP request to the application that includes custom headers or request parameters. The injected headers will bypass the default filtering mechanism and can be used to manipulate the behavior of the application, particularly if it uses the camel-bean component with a bean that has multiple methods implemented.

Remediation

Users are advised to upgrade to Apache Camel version 4.10.3 for 4.10.x LTS or 4.8.6 for 4.8.x LTS. For those using Apache Camel 3.x releases, version 3.22.4 is recommended.