Apache Camel JMS Components Remote Code Execution Vulnerability via Unsafe ObjectMessage Deserialization

A remote code execution vulnerability exists in Apache Camel's JMS components, specifically in camel-jms, camel-sjms, camel-sjms2, and camel-amqp. The issue arises because the JmsBinding.extractBodyFromJms() method deserializes the payload of incoming JMS ObjectMessage values without applying any ObjectInputFilter, class allowlist, or class denylist. This vulnerability is triggered when the mapJmsMessage option is enabled, which is the default setting, and Camel is acting as a JMS consumer. An attacker can exploit this vulnerability by publishing a crafted ObjectMessage to a queue or topic that is consumed by a Camel application, leading to remote code execution if a deserialization gadget chain is present on the classpath.

Impact

Exploitation of this vulnerability allows for remote code execution on the server where the affected Camel application is running.

Remediation

Users are advised to upgrade to Apache Camel version 4.20.0, 4.14.7 (for 4.14.x LTS releases), or 4.18.2 (for 4.18.x releases).