Apache Camel-PQC Unsafe Deserialization Vulnerability in FileBasedKeyLifecycleManager

A vulnerability exists in the Apache Camel-PQC component, specifically in the FileBasedKeyLifecycleManager class, versions 4.19.0 prior to 4.20.0 and 4.18.0 prior to 4.18.2. The issue arises because the class deserializes `<keyId>.key` files in the designated key directory using java.io.ObjectInputStream, without implementing any ObjectInputFilter or class-loading restrictions. This flaw allows an attacker to exploit the deserialization process by injecting a malicious serialized Java object that, once deserialized during routine key lifecycle operations, executes arbitrary code within the application's context. Exploitation requires the ability to write to the key directory, which could be achieved through various means such as path traversal, improper filesystem permissions, a compromised key provisioning pipeline, or a symlink attack.

Impact

Successful exploitation leads to arbitrary code execution in the context of the affected application.

Remediation

Users are advised to upgrade to Apache Camel version 4.20.0 or 4.18.2 for those on the 4.18.x LTS release stream. Version 4.20.0 addresses the vulnerability by replacing the java.io.ObjectInputStream-based key and metadata storage with standard PKCS#8 for private keys and X.509 SubjectPublicKeyInfo for public keys, encoded in Base64 JSON.