Impact
Malicious Java objects received over a Hazelcast cluster are deserialized by Camel’s default Hazelcast instance without any filter, permitting an attacker who can reach the cluster to send a crafted serialized payload that runs on every Camel node. The flaw is a Deserialization of Untrusted Data vulnerability (CWE-502) and allows arbitrary code execution with the privileges of the Camel process.
Affected Systems
Apache Camel versions 4.0.0 through just before 4.14.8, 4.15.0 through just before 4.18.3, and 4.19.0 through just before 4.21.0 are affected. The issue resides in the camel-hazelcast component and impacts any route that uses a Hazelcast consumer (hazelcast-topic, hazelcast-queue, hazelcast-seda, hazelcast-map, hazelcast-multimap, hazelcast-replicatedmap, hazelcast-list, hazelcast-set) as well as the HazelcastAggregationRepository and HazelcastIdempotentRepository when the managed instance is created using Camel’s default configuration.
Risk and Exploitability
The CVSS score of 8.1 indicates high severity, and the EPSS probability is below 1%, but the vulnerability is not listed in CISA’s KEV catalog. An attacker with network access to the Hazelcast cluster or the ability to impersonate a cluster node can inject a malicious serialized payload, which is deserialized without filtering by Camel’s Hazel remote code execution on every Camel node that joins the cluster. The flaw is enabled by default and requires no special configuration, making the attack surface wide for deployments that do not restrict cluster membership or enforce authentication and TLS.
OpenCVE Enrichment