raboof/pekko
1
0
Fork 0
Code Issues Pull requests Projects Releases 6 Packages Wiki Activity Actions 11

security announcement CVE-2017-5643

Browse source
This commit is contained in:
Patrik Nordwall 2017-08-09 12:55:27 +02:00
parent e079fe3991
commit f8fd3c6488
2 changed files with 32 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

31
akka-docs/src/main/paradox/scala/security/2017-08-09-camel.md Normal file
View file

@ -0,0 +1,31 @@
# Camel Dependency, Fixed in Akka 2.5.4
### Date
9 August 2017
### Description of Vulnerability
Apache Camel's Validation Component is vulnerable against SSRF via remote DTDs and XXE, as described in [CVE-2017-5643](https://nvd.nist.gov/vuln/detail/CVE-2017-5643)
To protect against such attacks the system should be updated to Akka *2.4.20*, *2.5.4* or later. Dependencies to Camel libraries should be updated to version 2.17.7.
### Severity
The [CVSS](https://en.wikipedia.org/wiki/CVSS) score of this vulnerability is 7.4 (High), according to [CVE-2017-5643](https://nvd.nist.gov/vuln/detail/CVE-2017-5643).
### Affected Versions
* Akka *2.4.19* and prior
* Akka *2.5.3* and prior
### Fixed Versions
We have prepared patches for the affected versions, and have released the following versions which resolve the issue:
* Akka *2.4.20* (Scala 2.11, 2.12)
* Akka *2.5.4* (Scala 2.11, 2.12)
### Acknowledgements
We would like to thank Thomas Szymanski for bringing this issue to our attention.

1
akka-docs/src/main/paradox/scala/security/index.md
View file

@ -29,5 +29,6 @@ to ensure that a fix can be provided without delay.
@@@ index @@@ index
* [2017-02-10-java-serialization](2017-02-10-java-serialization.md) * [2017-02-10-java-serialization](2017-02-10-java-serialization.md)
* [2017-08-09-camel](2017-08-09-camel.md)
@@@ @@@