{
  "threat_severity" : "Important",
  "public_date" : "2020-05-14T00:00:00Z",
  "bugzilla" : {
    "description" : "camel: Netty enables Java deserialization by default which could leed to remote code execution",
    "id" : "1848465",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1848465"
  },
  "cvss3" : {
    "cvss3_base_score" : "9.8",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-502",
  "details" : [ "Apache Camel Netty enables Java deserialization by default. Apache Camel 2.22.x, 2.23.x, 2.24.x, 2.25.0, 3.0.0 up to 3.1.0 are affected. 2.x users should upgrade to 2.25.1, 3.x users should upgrade to 3.2.0.", "A flaw was found in camel. Apache Camel RabbitMQ enables java deserialization, by default, without any means of disabling which can lead to arbitrary code being executed. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability." ],
  "statement" : "Red Hat JBoss Fuse 6  and Red Hat Fuse 7 distribute camel with the affected `camel-netty` component. However both Fuse 6 and Fuse 7 have deprecated the `camel-netty` component which uses netty 3.x  in favour of `camel-netty4` netty 4.x, `camel-netty4` is not affected by this flaw;  the `camel-netty` component is deprecated and should no longer be used.",
  "affected_release" : [ {
    "product_name" : "Red Hat Fuse 7.8.0",
    "release_date" : "2020-12-16T00:00:00Z",
    "advisory" : "RHSA-2020:5568",
    "cpe" : "cpe:/a:redhat:jboss_fuse:7",
    "package" : "camel-netty",
    "impact" : "moderate"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat JBoss Data Grid 7",
    "fix_state" : "Not affected",
    "package_name" : "camel-netty",
    "cpe" : "cpe:/a:redhat:jboss_data_grid:7"
  }, {
    "product_name" : "Red Hat JBoss Fuse 6",
    "fix_state" : "Out of support scope",
    "package_name" : "camel-netty",
    "cpe" : "cpe:/a:redhat:jboss_fuse:6",
    "impact" : "moderate"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2020-11973\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-11973" ],
  "name" : "CVE-2020-11973",
  "mitigation" : {
    "value" : "Red Hat JBoss Fuse 6 & Red Hat Fuse 7 customers should use `camel-netty4` instead",
    "lang" : "en:us"
  },
  "csaw" : false
}