Apache Camel LevelDB Component Deserialization Vulnerability Leading to Remote Code Execution

A deserialization vulnerability has been identified in the Apache Camel LevelDB component, specifically in versions 4.10.0 prior to 4.10.8, 4.14.0 prior to 4.14.5, and 4.15.0 prior to 4.18.0. The issue arises in the DefaultLevelDBSerializer class, which deserializes data from the LevelDB aggregation repository using java.io.ObjectInputStream without any filtering or class-loading restrictions. This flaw allows an attacker with write access to the LevelDB database files to inject a malicious serialized Java object. When this object is deserialized during regular repository operations, it can execute arbitrary code within the application's context.

Impact

Exploitation of this vulnerability allows for remote code execution on the server where the affected Apache Camel application is running.

Reproduction

The vulnerability can be reproduced by writing a crafted serialized object into the LevelDB database used by a Camel application. This can be done by sending a POST request to the application's exploit injection endpoint, after initializing the database and adding a test entry. Once the malicious payload is injected, it can be deserialized and executed by triggering a recovery scan or directly accessing the injected key, which activates the deserialization process and executes the embedded payload.

Remediation

Users are advised to upgrade to Apache Camel version 4.18.0, 4.10.9 for the 4.10.x LTS releases, or 4.14.5 for the 4.14.x LTS releases.